Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass LDAP over SSL certificates

This thread has been viewed 37 times
  • 1.  Clearpass LDAP over SSL certificates

    Posted Sep 01, 2021 10:26 AM

    I am configuring secure LDAP connection and during authentication attempt Clearpass complains that it is not able to establish connection with LDAP server:

    2021-09-01 09:27:56,920               [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: CN=xxx,OU=xxx-xx,O=xxx bind to xxx.xxx.com:636 failed: Can't contact LDAP server

    2021-09-01 09:27:56,920               [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed

    2021-09-01 09:27:56,920               [Th 42 Req 981 SessId R00000226-01-612f479c] ERROR RadiusServer.Radius - rlm_ldap: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)

    Packet capture confirms that Clearpass rejects LDAP cert.

     

    The self signed LDAP cert is imported in the trust list and it has the following usage assigned - AD/LDAP Servers, EAP, Others.

     

    Does Clearpass allow self signed cert usage on LDAP server for LDAP over SSL?



    ------------------------------
    Aivars Brizs
    ------------------------------


  • 2.  RE: Clearpass LDAP over SSL certificates

    Posted Sep 01, 2021 03:11 PM
    Hi Aivars,

    I'm doing the same, my LDAP Cert is self-signed. You need to make sure, that the cert CN reflects the domain name and the DC domain name as well. I'm using a wildcard cert for that like this:

    cn=*.domain.tld

    Check if this works.

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 3.  RE: Clearpass LDAP over SSL certificates

    Posted Sep 02, 2021 04:44 AM
    I've never tried self-signed. Private/internal CA works, but self-signed is not something you probably should deploy. You can disable the certificate checking in your authentication source.

    The message indicates that self-signed is not supported; maybe TAC can tell you if that is correct, but if it is not too much of an effort, I would create a (private) CA and have that sign your LDAP. The easiest in AD environment would be the AD Certificate Services, but if that is not possible, you can use ClearPass Onboard as well to set up a new CA (make it long-living, think 9999 days is the max), then create a server cert from there (also make that few years at least) and install that on your AD server.

    For a larger environment (or... not lab), make sure you have your certificates deployed correctly, and get professional assistance/advice if you are not sure about what to do.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Clearpass LDAP over SSL certificates

    Posted Sep 22, 2021 11:32 AM
    You should also import CA certificate into trust store.


  • 5.  RE: Clearpass LDAP over SSL certificates

    Posted Sep 03, 2021 01:59 AM

    Thank you for your comments!

    I was not keen to open TAC case because my recent experience with TAC is not encouraging to say the least. Your answers came much faster that I would receive anything from TAC. However, TAC is totally different topic.

    As Aruba partner we have to work with what the customer has. If customer does not have its own CA and it is out of the project scope, the best we can do is improvise. This particular customer has no AD. Instead they use e-directory. I am not sure what CA functionality options in any there. For just a few certs I might use XCA tool.



    ------------------------------
    Aivars Brizs
    ------------------------------



  • 6.  RE: Clearpass LDAP over SSL certificates

    Posted 28 days ago
     The easiest in AD environment would be the AD Certificate Services, but if that is not possible, you can use ClearPass Onboard as well to set up a new CA (make it long-living, think 9999 days is the max), then create a server cert from there (also make that few years at least) and install that on your AD server. 

    ------------------------------
    Loud Wasp
    ------------------------------



  • 7.  RE: Clearpass LDAP over SSL certificates

    Posted 27 days ago

    I would like to summarize things.

    We made it work by replacing the default self-signed LDAP certificate with "CA" signed. I used XCA tool as CA. Anybody can use his/her favorite search engine to find it. Basically, it is a free opensource GUI tool for certificate manipulation. This was far faster than dealing with TAC or investigating why self-signed is not working. A message for Clearpass guys. There is a problem either with documentation or log messages. Please fix either one. The documentation does not say that self-signed certificates cannot be used or what certificate parameters are checked. If self-signed certs are accepted, log messages are misleading.



    ------------------------------
    Aivars Brizs
    ------------------------------