Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Methods for Active Directory based on geo location of server?

  • 1.  Methods for Active Directory based on geo location of server?

    Posted 10 days ago
    I understand that each CPPM node can have local "password servers" configured for their AD Domain, to ensure that they use the specific ones the admin wants them to use e.g. geographically local.

    However I'm not clear on how this relates to setting up an Active Directory Authentication Source. When you create an authentication source you must enter a FQDN of a domain controller which can only exist in 1 geo location. Backup domain controllers are also manually configured here with FQDNs.

    • How then does this "static" Authn Source tie in with the configured Password Servers on each CPPM?
    • Does the Password Server setting override the Primary Hostname in the Authn Source?
    • What happens to the backups?
    • If the Password Servers actually have nothing to do with the Authn Source, how can the Authn Source be directed to the desired server in a service policy? I don't want to duplicate every service policy per geo.


    ------------------------------
    vf556-2
    ------------------------------


  • 2.  RE: Methods for Active Directory based on geo location of server?

    Posted 10 days ago
    Authentication Source is LDAP, Password Servers (and joining an AD domain) is to support MS-CHAPv2 credential validation.  The two really don't have anything to do with each other.

    No.

    Backups are used in priority order if the Primary doesn't respond within the timeout.

    You would need to use a geo or site based DNS response so that a query for the domain (e.g. "domain.com") will return a local DC.

    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Methods for Active Directory based on geo location of server?

    Posted 10 days ago
    Thanks for confirming. I will be aiming for the DNS-based approach for the LDAP authN source