Security

Hi all, I'm trying to set up an Auth Source using AD over SSL but not having any luck getting it to bind. I've followed Aruba ClearPass Workshop - Getting Started #6 - Secure AD with LDAPS (arubanetworks.com) which was simple enough to do. I have our internal Microsoft Enterprise CA cert in the Trust List on clearpass. I can use LDP.exe to connect to our AD from my machine. We do have multiple "server authentication" certs in the personal cert store of the DC however they are all signed by the same enterprise CA and should be valid for use with LDAPS from what I've read (right?). What other things  could I be missing? I do know that our CA uses RSASSA-PSS which isn't supported by our Palo FW. Could the same be true for Clearpass? Appreciate any troubleshooting tips or guidance you guys can provide. Thanks :) 


Edited to add:
Not sure if this is relevant to clearpass however thought I better mention that the server authentication certificates on the DC have a blank Subject but do have a SAN matching the DC's FQDN as per Third Party Application Fails Using LDAP over SSL | Microsoft Docs . 
The failed login attempt results in following error:
Failed to connect and bind to host=dc.domain.local, error=java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

------------------------------
Michelle Shawcross
------------------------------

The message 'Certificates do not conform to algorithm constraints' points in the direction of one of your algorithms being unsupported or considered weak. Do you have FIPS-mode possibly enabled? Also, there are options to enable weak encryption in the Cluster-wide parameters:


Searching on PKCS#1 v2.1, shows wide issues with RSASSA-PSS so it may affect ClearPass as well. I see one issue where a RSASSA-PSS signed HTTPS certificate cannot be installed in ClearPass and for that issue, engineering is working to get that supported in a future update. Please reach out to Aruba TAC if changing the above settings does not make a change, and let them determine if this is the same situation and if not let them add this scenario to the requested fix.


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 15, 2021 11:05 PM
From: Michelle Shawcross
Subject: Clearpass LDAPS fails to bind with Active Directory

Hi all, I'm trying to set up an Auth Source using AD over SSL but not having any luck getting it to bind. I've followed Aruba ClearPass Workshop - Getting Started #6 - Secure AD with LDAPS (arubanetworks.com) which was simple enough to do. I have our internal Microsoft Enterprise CA cert in the Trust List on clearpass. I can use LDP.exe to connect to our AD from my machine. We do have multiple "server authentication" certs in the personal cert store of the DC however they are all signed by the same enterprise CA and should be valid for use with LDAPS from what I've read (right?). What other things  could I be missing? I do know that our CA uses RSASSA-PSS which isn't supported by our Palo FW. Could the same be true for Clearpass? Appreciate any troubleshooting tips or guidance you guys can provide. Thanks :) 


Edited to add:
Not sure if this is relevant to clearpass however thought I better mention that the server authentication certificates on the DC have a blank Subject but do have a SAN matching the DC's FQDN as per Third Party Application Fails Using LDAP over SSL | Microsoft Docs . 
The failed login attempt results in following error:
Failed to connect and bind to host=dc.domain.local, error=java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

------------------------------
Michelle Shawcross
------------------------------