last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Authentication source on clearpass

Jump to Best Answer
This thread has been viewed 3 times
  • 1.  Authentication source on clearpass

    Posted Feb 18, 2020 12:30 PM

    Hello i have got  a question about this

    On the authentication source when you configuring it on primary, you suppose to input  the host name for example  dc.demolab.local  Right?

    But if that one goes that then it doesnt work


    I was wondering if you input only the domain like  demolab.local it will work, i mean as it should search which active directory works?  it seems to work, but i dont know if its not recommended, if its not secure or something like that ?

    In the manual it says that you input the host name


    I though that  if you had 3 active directory then you had to configure 3 authentication sources and add them to the services.   But just putting the domain seems to work.


    Any comment about this would be appreciated.




  • 2.  RE: Authentication source on clearpass

    Posted Feb 18, 2020 12:43 PM

    Are you asking if dc.demolab.local were to go down, and you have the other two servers added as authentication sources, will it still authenticate to the other two?

  • 3.  RE: Authentication source on clearpass

    Posted Feb 18, 2020 12:47 PM

     iwas asking that how i should add it to the host name?

    like dc1.demo.local






    If o add it like dc1.demo.local if that server goes down then i cant authenticate


    If i add it like demo.local and i got other domain servers like dc2.demo.local and dc3.demo.local  then server will keep up ç



    Or the third option which will be creating 3 authenticating sources and adding all of them on the service as authenticating source




  • 4.  RE: Authentication source on clearpass

    Posted Feb 18, 2020 12:48 PM

    If you are using EAP PEAP MsCHAPv2 then you have to join CPPM to AD domain.

    Use AD account which have ability to add computer to domain. 

    You do not need to join ClearPassPolicy Manager to multiple domains belonging to the same Active Directory forest, because a one-way trust relationship exists between these domains. In this case, you should join CPPM to the root domain.


    In latest version we have new feature were Clearpass automatically send request to nearest AD ito client if primary goes down or not reachable.  In previous we use to specify order list of servers in password server list,  which server request should go if first server is not reachable. 

  • 5.  RE: Authentication source on clearpass

    Posted Feb 18, 2020 01:02 PM

    i guess im not explaning myself correctly, as my english is bad im sorry.


    im not talking about adding the clearpass to the domain controller

    im referring only to the authenticating source which you have to configure in the service

    in this case im referring tacacs  to authenticate in the same clearpass.


    I configured the authentication source here

    authenticating source1.JPG


    on the service ill have something like this configured


    authenticating source2.JPG

    if alternetworks dc goes down which is the one i declared as authentication source  then noone will be able to authenticate.   But i just included one server there one name.



    Now IF instead o putting dc01.alterneworks.local i put alternetworks.local on hostname, this does not happen as it will just search for another AD for example a dc02 or a dc03 it seems.


    My question was

    Is there any issue if i configure it like that?

    At least on the manual it tells you to configure it as a host name which means dc01.alternetworks.local  NOT the domain...  but i dont know.




  • 6.  RE: Authentication source on clearpass
    Best Answer

    Posted Feb 18, 2020 01:34 PM
    Hey Carlos you can add the domain name and allow DNS to return the AD server that is available ,ClearPass caches the LDAP queries of successful authentications for 5 minutes so it doesn’t have to perform a lookup every time the user authenticates

    Sent from Mail for Windows 10

  • 7.  RE: Authentication source on clearpass

    Posted Feb 19, 2020 04:12 AM

    One thing to consider is that in most deployments there are 'more preferred' AD servers over others. For example if you have remote sites. With putting the domain name in, which basically is a DNS record with multiple A-records, ClearPass will just pick one. By entering primary and one or more backups, you better control where the LDAP lookups will go.

  • 8.  RE: Authentication source on clearpass

    Posted Feb 19, 2020 08:43 AM

    thanks hernan, victor and everyone!!