Wireless Access

We have been trying to reconnect our ClearPass server to our AD but we keep getting the same issue. We called TAC but they are stumped as well. Our username and password for the domain are correct, we were able to disconnect the ClearPass server from the AD. Has anyone else come across this issue?

here are a couple of screen captures

Can you do an "network nslookup -q host" to that domain? from ClearPass CLI

Also is your  clock set correctly ?

if you have the exact same problem fgualdron, then answer the questions posted above you.

also for mmurphy, is this solved for you?

I'm also having the same problem joining Clearpass to the domain.

ClearPass Policy Manager 6.5.1.72346 on CP-VA-25K platform

The domain controller is the primary DNS server.

The clock is set to NTP using the domain controller as the NTP server.  Double-checked and the time between the two is spot on.

NSlookup does return the domain controller:

[appadmin@cppm01]# network nslookup -q host dc01.local.customer.ca
unknown query type: HOST
Server: 10.10.10.3
Address: 10.10.10.3#53

Name: dc01.local.customer.ca
Address: 10.10.10.3

We are using a Domain Admin account.   But no matter what we try, the results are the same:

Adding host to AD domain...
INFO - Fetched REALM 'LOCAL.CUSTOMER.CA' from domain FQDN
'dc01.local.customer.ca'
INFO - Fetched the NETBIOS name 'CC'
INFO - Creating domain directories for 'CC'
Enter da1's password:
Failed to join domain: failed to lookup DC info for domain
'LOCAL.CUSTOMER.CA' over rpc: NT_STATUS_CONNECTION_RESET
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CC'
ERROR - cppm01 failed to join the domain LOCAL.CUSTOMER.CA
with domain controller as dc01.local.customer.ca
Join domain failed

The only thing I can't do is use the default "Administrator" account because they have renamed it on their domain.

[edit] please start a new thread for a new question.

no direct experience with this error, but if i google for that specific error is see several times solutions like this come up

http://www.linuxquestions.org/questions/linux-server-73/connecting-samba-to-a-windows-2012r2-domain-4175485746/

https://bugs.pcbsd.org/issues/8359

you could have a look at those. also making a packet capture during the join and looking if there are better hints there might help.

Thanks for the reply.  I did see that Samba article and forwarded it to the customer, but they are completely opposed to modifying AD.  Their opinion is that too many things depend on AD that they can't risk causing issues.

I would have hoped that Aruba would have tested Clearpass on AD 2012 before releasing it to the wild.  I have a case open with TAC so hopefully they will come up with a solution.

More digging with TAC confirms that Clearpass 6.5.x is running SMB version 3.6.2.x, so the above links about enabling SMB v. 1 on the domain won't work anyway.  Important for anyone else out there who may try it as a possible solution.

ok that is good to know, will prevent people from trying something that doesn't work.

i would then fallback to making a packet capture and seeing if you can find more information there. pehaps the server sends something with that message that point to a cause.

Microsoft support came through with a Registry fix which when applied, enabled the unit to be joined to the domain, with a compromise though.
Their testing identified that the system is using SMB1 (in contradiction with what Aruba TAC told us) to communicate to the Domain Controller, and this registry setting lowers our domain security a bit by allowing this.

It does require a server reboot on the DC. Any communication coming from the ClearPass unit, which is using SMB1, hitting the other 3 DC’s will fail. The default domain controller policy for Network Security is still set to Send NTLMv2 response only. Refuse LM.

This is the Reg Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DependOnService

Original Value: SamSS Srv2
Change to : SamSS Srv2 Srv

(where Srv2=SMB2 and Srv=SMB1)

The customer is asking Aruba to change Clearpass to use SMB2 because they aren't happy about lowering the domain security. SMB1 is +10yrs old.

i assume you did mention this to TAC?

i believe the domain joining is a one time action, it is mentioned you can disable / delete the user you use afterwards. so you could try to restore your AD settings again to higher and check if everything remains working.

TAC has been updated, yes.

It looks like SMBv1 is required.  We tested this by making the registry change to only 1 DC.

We tested PEAP-MSCHAP authentication with that DC online.  Authentication succeeds.

Then we tested PEAP-MSCHAP authentication with that DC offline.  Authentication fails, with the following error in Access Tracker:  ERROR RadiusServer.Radius - rlm_mschap: AD status:No logon servers (0xc000005e)

This tells me that Clearpass uses SMBv1 for both joining the AD domain, and for MSCHAP authentication.   The customer is requesting whether Clearpass can be configured to use SMB2… SMB1 is +10yrs old.  Hopefully TAC will get some action on this.

Has support for SMBv2 been added in Clearpass? We are experiencing this issue with DCs on Windows 2012 Server.

as suggested submit a RFE and post back for others to add their vote to it.

also a new thread with a better subject will probably make it easier to find this again.

Added to RFE: https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=08733000000DG0i

Update: SMBv2 and SMBv3 support is available via a hotfix for ClearPass 6.6.7

http://community.arubanetworks.com/t5/Security/ClearPass-Release-Announcements/m-p/303234#M32873