View Only
last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Joining ClearPass to Azure AD Domain Services

This thread has been viewed 17 times
  • 1.  Joining ClearPass to Azure AD Domain Services

    Posted Dec 21, 2021 09:14 AM
    I am trying to build all cloud ClearPass - Azure ADDS setup. I can see that Centos can join Azure ADDS as per Microsoft documentation

    I have Azure ADDS setup and ClearPass in Azure Cloud. I can do LDAP/LDAPS from ClearPass to AADDS with no issues and I can join Windows devices to AADDS. I am trying to join ClearPass to AADDS to try EAP-PEAP, but I am receiving the following error (I replaced domain name with xxxxx)

    Adding host to AD domain...
    INFO - Fetched REALM 'xxxxx.COM' from domain FQDN
    INFO - Fetched the NETBIOS name 'xxxxx'
    INFO - Creating domain directories for 'xxxxx'
    Enter admin@xxxxx.COM's password:
    kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
    ldap/ with user[admin] realm[xxxxx.COM]: Unexpected information received
    Failed to join domain: failed to connect to AD: Unexpected
    information received
    INFO - Restoring smb configuration
    INFO - Deleting domain directories for 'xxxxx'
    ERROR - cppm failed to join the domain xxxxx.COM with
    domain controller as
    Join domain failed

    Any one tried this before? Should this work? is it supported by Aruba?

    Ahmad Enaya

  • 2.  RE: Joining ClearPass to Azure AD Domain Services

    Posted Dec 21, 2021 04:36 PM
    you can only do EAP-TLS auth with your setup.
    Note that legacy protocols such as EAP-PEAP are no longer supported when moving from on-prem to cloud identity providers.  
    if you need to do EAP-PEAP auth, then you 'll need NPS integration to Azure AD that can then be used as a RADIUS server by ClearPass.

    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

  • 3.  RE: Joining ClearPass to Azure AD Domain Services

    Posted Dec 22, 2021 03:09 PM
    AAD DS is not supported for this use case. If you still want to use legacy protocols (PEAPv0/EAP-MSCHAPv2), which you shouldn't do, you'd need to set up a legacy AD domain controller as a VM in Azure.

    Tim C