Security

last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass AD Auth Source with lots of Read Only Domain Controllers

  • 1.  ClearPass AD Auth Source with lots of Read Only Domain Controllers

    Posted Nov 26, 2019 08:51 AM

    Hi!

    We have more than 40 remote offices (construction sites in different businesses) with RODCs that don't have stable WAN connections to the central site. We want to deploy ClearPass Subscribers into these locations. The locations are very dynamic as these site are worldwide construction sites. They are completely self-sustainable and don't need to be online all the time.

     

    Problem:

    As it's only possible to configure AD Servers as Primary (and optional Backup) AD authentication sources it would be necessary to configure many of these sources (with the local RODC as Primary and a central DC as the Backup AD Auth Source). Configuring ClearPass Services would need many AD Auth sources or Services tailored to the remote offices. This would slow down the authentication process significally and it would be hard to administer lots of similar ClearPass services with just different AD sources.

     

    Question:

    What is the easiest way to configure and maintain a single AD authentication source that can be used globally?

    Is there a mechanism within ClearPass to get the nearest DC (we have a Single AD Domain and maintain the AD sites and subnets) for the use as AD Authentication Source for EAP-TLS

     

    Thank you for your ideas!

     

    Regards

    Manfred M.

     



  • 2.  RE: ClearPass AD Auth Source with lots of Read Only Domain Controllers

    Posted Jan 17, 2020 11:16 AM

    I'd be interested in this as well. We have a similar problem in that we have ClearPass servers in Brazil, Europe & Singapore with RO DC's. Currently we need to setup new auth sources and services to use the local DC's.



  • 3.  RE: ClearPass AD Auth Source with lots of Read Only Domain Controllers

    Posted Jan 18, 2020 12:10 PM

    Hi!

     

    Our Solution was to change the Auth-Source to "Generic LDAP". But you must take care of the default filter statements of the Generic LDAP source which are different. We had some issues with these filter statements and changed them to the "AD source" filter statement which works now.

     

    With kind regards

    Manfred M.



  • 4.  RE: ClearPass AD Auth Source with lots of Read Only Domain Controllers

    Posted Jan 24, 2020 01:31 AM

    @mywegmansconnect wrote:

    Hi!

     

    Our Solution was to change the Auth-Source to "Generic LDAP". But you must take care of the default filter statements of the Generic LDAP source which are different. We had some issues with these filter statements and changed them to the "AD source" filter statement which works now.

     

    With kind regards

    Manfred M.


    We have a similar problem in that we have ClearPass servers in Brazil, Europe & Singapore with RO DC's. Currently we need to setup new auth sources and services to use the local DC's.



  • 5.  RE: ClearPass AD Auth Source with lots of Read Only Domain Controllers

    Posted Jan 24, 2020 05:36 AM

    Hi Everyone,

     

    Greetings!

     

    I am not sure if you guys have gone though the new Active Directory site awareness feature of the ClearPass 6.8.4.

     

    You can read about it in ClearPass 6.8.4 release notes.

    https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.4/Default.htm#WhatsNew/NewFeatures_PolicyMgr.htm%3FTocPath%3DWhat's%2520New%2520in%2520This%2520Release%7CNew%2520Features%2520and%2520Enhancements%2520in%2520the%25206.8.4%2520Release%7C_____3

     

    Some further information on the concept of AD site: https://blogs.technet.microsoft.com/askds/2011/04/29/sites-sites-everywhere/

     

     

     



  • 6.  RE: ClearPass AD Auth Source with lots of Read Only Domain Controllers

    Posted Jan 24, 2020 06:05 AM

    Hi Vikram!

     

    Thank you for the helpful hint regarding CPPM 6.8.4 - this is an improvement joining the AD.

     

    This will not change the different behaviour adding a server as AD source in comparison to adding a Generic LDAP Source.

     

    With kind regards

    Manfred M.