Hello i have got a question about this
On the authentication source when you configuring it on primary, you suppose to input the host name for example dc.demolab.local Right?
But if that one goes that then it doesnt work
I was wondering if you input only the domain like demolab.local it will work, i mean as it should search which active directory works? it seems to work, but i dont know if its not recommended, if its not secure or something like that ?
In the manual it says that you input the host name
I though that if you had 3 active directory then you had to configure 3 authentication sources and add them to the services. But just putting the domain seems to work.
Any comment about this would be appreciated.
Are you asking if dc.demolab.local were to go down, and you have the other two servers added as authentication sources, will it still authenticate to the other two?
iwas asking that how i should add it to the host name?
If o add it like dc1.demo.local if that server goes down then i cant authenticate
If i add it like demo.local and i got other domain servers like dc2.demo.local and dc3.demo.local then server will keep up ç
Or the third option which will be creating 3 authenticating sources and adding all of them on the service as authenticating source
If you are using EAP PEAP MsCHAPv2 then you have to join CPPM to AD domain.
Use AD account which have ability to add computer to domain.
You do not need to join ClearPassPolicy Manager to multiple domains belonging to the same Active Directory forest, because a one-way trust relationship exists between these domains. In this case, you should join CPPM to the root domain.
In latest version we have new feature were Clearpass automatically send request to nearest AD ito client if primary goes down or not reachable. In previous we use to specify order list of servers in password server list, which server request should go if first server is not reachable.
i guess im not explaning myself correctly, as my english is bad im sorry.
im not talking about adding the clearpass to the domain controller
im referring only to the authenticating source which you have to configure in the service
in this case im referring tacacs to authenticate in the same clearpass.
I configured the authentication source here
on the service ill have something like this configured
if alternetworks dc goes down which is the one i declared as authentication source then noone will be able to authenticate. But i just included one server there one name.
Now IF instead o putting dc01.alterneworks.local i put alternetworks.local on hostname, this does not happen as it will just search for another AD for example a dc02 or a dc03 it seems.
My question was
Is there any issue if i configure it like that?
At least on the manual it tells you to configure it as a host name which means dc01.alternetworks.local NOT the domain... but i dont know.
One thing to consider is that in most deployments there are 'more preferred' AD servers over others. For example if you have remote sites. With putting the domain name in, which basically is a DNS record with multiple A-records, ClearPass will just pick one. By entering primary and one or more backups, you better control where the LDAP lookups will go.
thanks hernan, victor and everyone!!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.