Security

Hi

We have a cluster with 2 nodes for guest access and now we need to deploy some subscribers in different sites where we have to authenticate against a local Active Directory. This is our scenario:

CLUSTER

- Publisher - Site 1
- Standby Publisher - Site 1

- Subscriber - Site 2 - Active Directory Site 2
- Subscriber - Site 2 - Active Directory Site 2

- Subscriber - Site 3 - Active Directory Site 3
- Subscriber - Site 3 - Active Directory Site 3

According to this information we need to know:

- For MsCHAPv2 we have to add AD in cluster to authentication source, right?

- Besides, we have to join the subscribers to the AD, right? Which one, the publisher and standby or all the subscribers?

- If we add AD from site 2 and 3 as auth sources to cluster, how can we join these ADs according to their site? Subscribers of site 2 must be joined to AD 2 and subscribers of site 3 to 3?

- If WLC of site 2 sends Radius request to susbscribers of site 2 and WLC of site 3 to susbscribers of site 3. How is the authentication flow against both ADs?

- We have to configure a new 802.1x service but, must be these 2 ADs configured as sources? Will this work with two different joined ADs?

Thank you in advance.
Regards

Joining the AD is only needed for PEAP/MSCHAPv2 authentication which is deprecated and should only be used if you have 100% control over your endpoint like with Active Directory joined computers managed by Group Policy to enforce the EAP server certificate validation.

You should join each node that is processing MSCHAPv2 authentication against AD to the domain. If you have local subscribers at remote sites, and they need to be authenticating against the local AD they need to be joined as well. After joining, you can 'edit' the join and select the password servers to restrict to which domain controllers ClearPass will talk.

What is unclear from your message is if the domain controllers at your sites are part of the same domain, or if they are separate domains, or if they are separate, but part of the same forest. Can you elaborate on that?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 19, 2021 12:44 PM
From: Juan Manuel Castrejo
Subject: Clearpass Cluster and distributed Active Directories

Hi

We have a cluster with 2 nodes for guest access and now we need to deploy some subscribers in different sites where we have to authenticate against a local Active Directory. This is our scenario:

CLUSTER

- Publisher - Site 1
- Standby Publisher - Site 1

- Subscriber - Site 2 - Active Directory Site 2
- Subscriber - Site 2 - Active Directory Site 2

- Subscriber - Site 3 - Active Directory Site 3
- Subscriber - Site 3 - Active Directory Site 3

According to this information we need to know:

- For MsCHAPv2 we have to add AD in cluster to authentication source, right?

- Besides, we have to join the subscribers to the AD, right? Which one, the publisher and standby or all the subscribers?

- If we add AD from site 2 and 3 as auth sources to cluster, how can we join these ADs according to their site? Subscribers of site 2 must be joined to AD 2 and subscribers of site 3 to 3?

- If WLC of site 2 sends Radius request to susbscribers of site 2 and WLC of site 3 to susbscribers of site 3. How is the authentication flow against both ADs?

- We have to configure a new 802.1x service but, must be these 2 ADs configured as sources? Will this work with two different joined ADs?

Thank you in advance.
Regards

there is a "easy" way for use local AD for remote site ? (for LDAP stuff)

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281
------------------------------

Original Message:
Sent: Jan 20, 2021 04:22 AM
From: Herman Robers
Subject: Clearpass Cluster and distributed Active Directories

Joining the AD is only needed for PEAP/MSCHAPv2 authentication which is deprecated and should only be used if you have 100% control over your endpoint like with Active Directory joined computers managed by Group Policy to enforce the EAP server certificate validation.

You should join each node that is processing MSCHAPv2 authentication against AD to the domain. If you have local subscribers at remote sites, and they need to be authenticating against the local AD they need to be joined as well. After joining, you can 'edit' the join and select the password servers to restrict to which domain controllers ClearPass will talk.

What is unclear from your message is if the domain controllers at your sites are part of the same domain, or if they are separate domains, or if they are separate, but part of the same forest. Can you elaborate on that?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 19, 2021 12:44 PM
From: Juan Manuel Castrejo
Subject: Clearpass Cluster and distributed Active Directories

Hi

We have a cluster with 2 nodes for guest access and now we need to deploy some subscribers in different sites where we have to authenticate against a local Active Directory. This is our scenario:

CLUSTER

- Publisher - Site 1
- Standby Publisher - Site 1

- Subscriber - Site 2 - Active Directory Site 2
- Subscriber - Site 2 - Active Directory Site 2

- Subscriber - Site 3 - Active Directory Site 3
- Subscriber - Site 3 - Active Directory Site 3

According to this information we need to know:

- For MsCHAPv2 we have to add AD in cluster to authentication source, right?

- Besides, we have to join the subscribers to the AD, right? Which one, the publisher and standby or all the subscribers?

- If we add AD from site 2 and 3 as auth sources to cluster, how can we join these ADs according to their site? Subscribers of site 2 must be joined to AD 2 and subscribers of site 3 to 3?

- If WLC of site 2 sends Radius request to susbscribers of site 2 and WLC of site 3 to susbscribers of site 3. How is the authentication flow against both ADs?

- We have to configure a new 802.1x service but, must be these 2 ADs configured as sources? Will this work with two different joined ADs?

Thank you in advance.
Regards

That is a lot of questions. Let me try to cover all of them.

I'm not aware of an authentication method that I can recommend for 802.1X that uses passwords. All of them depend on the client to validate the EAP server certificate which can only be enforced on clients that you have under direct control through Group Policy or Device Management systems. When you mention computer accounts, the computers must be in AD, so you could use the Microsoft Enterprise PKI to enroll client certificates and (or) use Group Policies to configure the supplicant for proper certificate validation.

On your remark of EAP-Chaining, there is standards based EAP-TEAP now in Windows 10 2004 and beyond, so if the requirement is to authenticate both computer and user in a single authentication, that may be good to have a look at.

Then the joins and Authentication sources. These are two different things and the Join is needed to perform MS-CHAPv2 authentications against a domain controller, so not needed for EAP-TLS or PAP authentication. The Authentication Source is used to pull in authorization information like group membership but could also be used for PAP password authentications where needed.

Every node in a cluster needs to be joined to the domain or to multiple domains if you have that (not in your case) to have AD perform authentication on behalf of the ClearPass node. This can be compared to joining a server or PC to your domain, and what in fact happens is that a computer account is created for each of your ClearPass nodes and if you check AD you will see computer accounts with the names of your ClearPass servers. Similar to when you have 5 servers that each need to be joined to the domain, each ClearPass needs to be joined to the domain. The account that you use during the join, needs to have rights to add computers to the domain (Domain Admin will work in all cases), and will not be used afterward. You can use the same account to join all of your ClearPass servers and even lock or remove that account after the join is done.

For the domain join, you will need to enter the fqdn of one of your domain controllers, and ClearPass will use that domain controller to perform the authentication (fail to a random other if it is unreachable). You can also configure password servers after the join and then only those will be used on that ClearPass node. For that reason, you should enter the designated domaincontroller for the site where the ClearPass node is located, so on site 3 join the cppm-site3 to dc-site3. For this communication, the broader range of MS protocols need to be allowed through firewalls like Kerberos (88 tcp) Netbios 138,139,445, and more. Check here for a quite extensive list.

Then the Authentication Source. That is an LDAP (or better LDAPS) connection and is configured on a cluster level. Here are two possible approaches. You can either create separate Authentication Sources per site and duplicate your services and check on the Connection:Dest-IP-Address for the IP of ClearPass and in that service select the Authentication Source you created for that site. This allows the most freedom as you can put the local site Auth Source first and have a fallback to your datacenter or so.

The other and the probably more elegant option is to use Global DNS Loadbalancing, where the DNS server is instructed to return the local IP for the domain controller in site 2 when the request comes from a system in site 2. Then you can have a single FQDN in your Authentication, but get the local IP returned and that is where ClearPass will connect to. Check here how you can do that with MS-DNS. Other DNS servers can probably do similar things.

Note that for the Authentication Source, a service account is recommended that has at least read access to the objects that ClearPass uses in the policies. A normal user account (without password expiration) privileges are good in most cases.

With this, your authentication path is (slightly modified and commented):
User in site 2 -> WLC in site 2 -> Radius request to subscriber in site 2 -> Check service in publisher subscriber (as all services are replicated and evaluated locally on the subscriber)-> Authentication from subscriber in site 2 to DC (AD) in site 2

Hope it's somewhat clear like this...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 21, 2021 07:28 AM
From: Juan Manuel Castrejo
Subject: Clearpass Cluster and distributed Active Directories

Do you recommend any other authentication method without certificates? We are going to use computer authentication because we cannot do EAP Chaining.

We have further information. There is only one domain shared between several DCs in different sites. The scenario is:

CLUSTER
- Publisher - DC Site 1 - Company Domain
- Standby Publisher - DC Site 1 - Company Domain
- Subscriber - Site 2 - DC Site 2 - Company Domain
- Subscriber - Site 2 - DC Site 2 - Company Domain
- Subscriber - Site 3 - DC Site 3 - Company Domain
- Subscriber - Site 3 - DC Site 3 - Company Domain

Ok, we should join each subscriber against domain and add each local DC server, right? But I don't understand why each DC has different password. If the node is joined against only one shared domain, the password should be the same for all the DCs, right?

Another thing that I don't understand. What is the difference between joining each node and adding the AD authentication source in global configuration (for MSCHAPv2)? Should we configure an 802.1x service using this AD and then each node will authenticate against the DC configured for it?

Should the authentication path be like this?
User in site 2 -> WLC in site 2 -> Radius request to subscriber in site 2 -> Check service in publisher -> Authentication from subscriber in site 2 to DC (AD) in site 2

And by the way, what firewall flows should we open? Between cluster (publisher/standby) and all DCs or between subscribers and local DCs?

OMG! Thank you for this level of detail.

 Just in case we use certificates, you are talking about EAP-TLS, right?

 Yes, I know EAP-TEAP, but the problem here is that not all computers have Windows 10. We will use MSCHAPv2 instead of PAP, because it is more secure, so we need to join.

If we have already joined using the local DC fqdn and the admin account, what are those passwords? We need to configure two local DCs for redundancy purpose, how should we do that?

The documentation says that it is possible to configure one AD and leave it to request to different DCs by itself. Is this right? What is the difference between this configuration and configuring several DCs manually?

 
I still don't understand why Clearpass separates authentication (AD join) and authorization (auth source), I thought that in authentication source we should configure only the shared AD (only one), not each DC. Is the traffic routed by the local subscribers for authorization too? How can Clearpass put together these two processes if they are configured separately (we could have different DCs for auth and join)?

 
Finally, we will have 5 sites, with 5 pairs of subscribers and 5 pairs of DCs (same AD, primary and redundant DC). What is the best approach from your point of view for this scenario (we cannot use DNS option)?

Thank you so much!

Original Message:
Sent: Jan 21, 2021 08:51 AM
From: Herman Robers
Subject: Clearpass Cluster and distributed Active Directories

That is a lot of questions. Let me try to cover all of them.

I'm not aware of an authentication method that I can recommend for 802.1X that uses passwords. All of them depend on the client to validate the EAP server certificate which can only be enforced on clients that you have under direct control through Group Policy or Device Management systems. When you mention computer accounts, the computers must be in AD, so you could use the Microsoft Enterprise PKI to enroll client certificates and (or) use Group Policies to configure the supplicant for proper certificate validation.

On your remark of EAP-Chaining, there is standards based EAP-TEAP now in Windows 10 2004 and beyond, so if the requirement is to authenticate both computer and user in a single authentication, that may be good to have a look at.

Then the joins and Authentication sources. These are two different things and the Join is needed to perform MS-CHAPv2 authentications against a domain controller, so not needed for EAP-TLS or PAP authentication. The Authentication Source is used to pull in authorization information like group membership but could also be used for PAP password authentications where needed.

Every node in a cluster needs to be joined to the domain or to multiple domains if you have that (not in your case) to have AD perform authentication on behalf of the ClearPass node. This can be compared to joining a server or PC to your domain, and what in fact happens is that a computer account is created for each of your ClearPass nodes and if you check AD you will see computer accounts with the names of your ClearPass servers. Similar to when you have 5 servers that each need to be joined to the domain, each ClearPass needs to be joined to the domain. The account that you use during the join, needs to have rights to add computers to the domain (Domain Admin will work in all cases), and will not be used afterward. You can use the same account to join all of your ClearPass servers and even lock or remove that account after the join is done.

For the domain join, you will need to enter the fqdn of one of your domain controllers, and ClearPass will use that domain controller to perform the authentication (fail to a random other if it is unreachable). You can also configure password servers after the join and then only those will be used on that ClearPass node. For that reason, you should enter the designated domaincontroller for the site where the ClearPass node is located, so on site 3 join the cppm-site3 to dc-site3. For this communication, the broader range of MS protocols need to be allowed through firewalls like Kerberos (88 tcp) Netbios 138,139,445, and more. Check here for a quite extensive list.

Then the Authentication Source. That is an LDAP (or better LDAPS) connection and is configured on a cluster level. Here are two possible approaches. You can either create separate Authentication Sources per site and duplicate your services and check on the Connection:Dest-IP-Address for the IP of ClearPass and in that service select the Authentication Source you created for that site. This allows the most freedom as you can put the local site Auth Source first and have a fallback to your datacenter or so.

The other and the probably more elegant option is to use Global DNS Loadbalancing, where the DNS server is instructed to return the local IP for the domain controller in site 2 when the request comes from a system in site 2. Then you can have a single FQDN in your Authentication, but get the local IP returned and that is where ClearPass will connect to. Check here how you can do that with MS-DNS. Other DNS servers can probably do similar things.

Note that for the Authentication Source, a service account is recommended that has at least read access to the objects that ClearPass uses in the policies. A normal user account (without password expiration) privileges are good in most cases.

With this, your authentication path is (slightly modified and commented):
User in site 2 -> WLC in site 2 -> Radius request to subscriber in site 2 -> Check service in publisher subscriber (as all services are replicated and evaluated locally on the subscriber)-> Authentication from subscriber in site 2 to DC (AD) in site 2

Hope it's somewhat clear like this...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 21, 2021 07:28 AM
From: Juan Manuel Castrejo
Subject: Clearpass Cluster and distributed Active Directories

Do you recommend any other authentication method without certificates? We are going to use computer authentication because we cannot do EAP Chaining.

We have further information. There is only one domain shared between several DCs in different sites. The scenario is:

CLUSTER
- Publisher - DC Site 1 - Company Domain
- Standby Publisher - DC Site 1 - Company Domain
- Subscriber - Site 2 - DC Site 2 - Company Domain
- Subscriber - Site 2 - DC Site 2 - Company Domain
- Subscriber - Site 3 - DC Site 3 - Company Domain
- Subscriber - Site 3 - DC Site 3 - Company Domain

Ok, we should join each subscriber against domain and add each local DC server, right? But I don't understand why each DC has different password. If the node is joined against only one shared domain, the password should be the same for all the DCs, right?

Another thing that I don't understand. What is the difference between joining each node and adding the AD authentication source in global configuration (for MSCHAPv2)? Should we configure an 802.1x service using this AD and then each node will authenticate against the DC configured for it?

Should the authentication path be like this?
User in site 2 -> WLC in site 2 -> Radius request to subscriber in site 2 -> Check service in publisher -> Authentication from subscriber in site 2 to DC (AD) in site 2

And by the way, what firewall flows should we open? Between cluster (publisher/standby) and all DCs or between subscribers and local DCs?