That is a lot of questions. Let me try to cover all of them.
I'm not aware of an authentication method that I can recommend for 802.1X that uses passwords. All of them depend on the client to validate the EAP server certificate which can only be enforced on clients that you have under direct control through Group Policy or Device Management systems. When you mention computer accounts, the computers must be in AD, so you could use the Microsoft Enterprise PKI to enroll client certificates and (or) use Group Policies to configure the supplicant for proper certificate validation.
On your remark of EAP-Chaining, there is standards based EAP-TEAP now in Windows 10 2004 and beyond, so if the requirement is to authenticate both computer and user in a single authentication, that may be good to have a look at.
Then the joins and Authentication sources. These are two different things and the Join is needed to perform MS-CHAPv2 authentications against a domain controller, so not needed for EAP-TLS or PAP authentication. The Authentication Source is used to pull in authorization information like group membership but could also be used for PAP password authentications where needed.
Every node in a cluster needs to be joined to the domain or to multiple domains if you have that (not in your case) to have AD perform authentication on behalf of the ClearPass node. This can be compared to joining a server or PC to your domain, and what in fact happens is that a computer account is created for each of your ClearPass nodes and if you check AD you will see computer accounts with the names of your ClearPass servers. Similar to when you have 5 servers that each need to be joined to the domain, each ClearPass needs to be joined to the domain. The account that you use during the join, needs to have rights to add computers to the domain (Domain Admin will work in all cases), and will not be used afterward. You can use the same account to join all of your ClearPass servers and even lock or remove that account after the join is done.
For the domain join, you will need to enter the fqdn of one of your domain controllers, and ClearPass will use that domain controller to perform the authentication (fail to a random other if it is unreachable). You can also configure password servers after the join and then only those will be used on that ClearPass node. For that reason, you should enter the designated domaincontroller for the site where the ClearPass node is located, so on site 3 join the cppm-site3 to dc-site3. For this communication, the broader range of MS protocols need to be allowed through firewalls like Kerberos (88 tcp) Netbios 138,139,445, and more. Check
here for a quite extensive list.
Then the Authentication Source. That is an LDAP (or better LDAPS) connection and is configured on a cluster level. Here are two possible approaches. You can either create separate Authentication Sources per site and duplicate your services and check on the Connection:Dest-IP-Address for the IP of ClearPass and in that service select the Authentication Source you created for that site. This allows the most freedom as you can put the local site Auth Source first and have a fallback to your datacenter or so.
The other and the probably more elegant option is to use Global DNS Loadbalancing, where the DNS server is instructed to return the local IP for the domain controller in site 2 when the request comes from a system in site 2. Then you can have a single FQDN in your Authentication, but get the local IP returned and that is where ClearPass will connect to. Check here
how you can do that with MS-DNS. Other DNS servers can probably do similar things.
Note that for the Authentication Source, a service account is recommended that has at least read access to the objects that ClearPass uses in the policies. A normal user account (without password expiration) privileges are good in most cases.
With this, your authentication path is (slightly modified and commented):
User in site 2 -> WLC in site 2 -> Radius request to subscriber in site 2 -> Check service in publisher subscriber (as all services are replicated and evaluated locally on the subscriber)-> Authentication from subscriber in site 2 to DC (AD) in site 2
Hope it's somewhat clear like this...------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Jan 21, 2021 07:28 AM
From: Juan Manuel Castrejo
Subject: Clearpass Cluster and distributed Active Directories
Do you recommend any other authentication method without certificates? We are going to use computer authentication because we cannot do EAP Chaining.
We have further information. There is only one domain shared between several DCs in different sites. The scenario is:
CLUSTER
- Publisher - DC Site 1 - Company Domain
- Standby Publisher - DC Site 1 - Company Domain
- Subscriber - Site 2 - DC Site 2 - Company Domain
- Subscriber - Site 2 - DC Site 2 - Company Domain
- Subscriber - Site 3 - DC Site 3 - Company Domain
- Subscriber - Site 3 - DC Site 3 - Company Domain
Ok, we should join each subscriber against domain and add each local DC server, right? But I don't understand why each DC has different password. If the node is joined against only one shared domain, the password should be the same for all the DCs, right?
Another thing that I don't understand. What is the difference between joining each node and adding the AD authentication source in global configuration (for MSCHAPv2)? Should we configure an 802.1x service using this AD and then each node will authenticate against the DC configured for it?
Should the authentication path be like this?
User in site 2 -> WLC in site 2 -> Radius request to subscriber in site 2 -> Check service in publisher -> Authentication from subscriber in site 2 to DC (AD) in site 2
And by the way, what firewall flows should we open? Between cluster (publisher/standby) and all DCs or between subscribers and local DCs?