Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Service setup 802.1x Wired on 2 domains without trust

  • 1.  ClearPass Service setup 802.1x Wired on 2 domains without trust

    Posted Jan 21, 2019 09:59 PM

    I'm new to ClearPass and trying to setup meraki 802.1x wired where 2 companies will share the switches. There is not trust between these domains. I need to identify the user by domain and send it to the correct AD server. I dont have the kit to test the policy on a switch.

    I'm looking for some guidance, can I add something like below in the service to identify the user below the default template Service Rules in the 802.1x Wired template?

    Radius:IETF | User-Name | BEGINS_WITH | <your_domain_1>\

    Then configure a service for each domain with a authentication source for each?

     

    My consern is that the ClearPass will only be joined to the one domain, will the second authentication source be able to lookup the AD information?



  • 2.  RE: ClearPass Service setup 802.1x Wired on 2 domains without trust

    Posted Jan 21, 2019 10:04 PM
    I’m not sure what CCMP is.

    As long as the user does not exist in both directories, you can simply add both domains to the auth source list in a single service. Based on the lookup, the correct domain will be used for user authentication (assuming you’re using a legacy method like PEAP).


  • 3.  RE: ClearPass Service setup 802.1x Wired on 2 domains without trust

    Posted Jan 21, 2019 10:15 PM

    Thank you. I will test this as soon as we have the kit and update the post. I did read on one post that addin gtehm to the same service causes timeouts before it tries the second auth source.

    I read this post where it shows to add the user domain in the service.

    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-is-the-best-way-to-authenticate-users-via-multiple-domains/ta-p/181644