Security

 View Only
Expand all | Collapse all

AD join with proper username@domain path

This thread has been viewed 17 times
  • 1.  AD join with proper username@domain path

    Posted Dec 12, 2023 04:53 AM

    Dear Experts,

    I am not an AD expert so please bear with me. One of my customer is trying to join CPPM (6.10) to AD. They want to do it via using username@domain path coz according to them their domain controller is supporting multiple domains and he has the admin account of domain1 only. So he needs to enter something like username@domain1.pk. This is how they integrated their Cisco CUCM with their AD also. 

    Any idea if its possible?



  • 2.  RE: AD join with proper username@domain path

    Posted Dec 12, 2023 07:18 AM

    You should not need to join Active Directory, unless you need MSCHAPv2 authentication which is deprecated and should be replaced by EAP-TLS or TEAP. The AD join is also only for authentication, and I can imagine that if the domains are fully trusted you can lookup passwords for users in the other domain as well.

    This topic is too complex, with too many parameters to discuss in a forum. It would be needed to better understand what you try to achieve, authentication methods, policies, network/AD topology, to come to a full design. Working with someone who does understand AD may help, as it may just work, but if you deploy something that is insecure based of that, it's not in anyone's benefit either.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: AD join with proper username@domain path

    Posted Dec 12, 2023 07:25 AM
    Dear Herman,

    They want to do username/password based authentication using dot1x on aruba wireless. Since it requires Mschapv2, i think we need to join with AD. Can we also do this using Teap and without joining AD?





  • 4.  RE: AD join with proper username@domain path

    Posted Dec 12, 2023 08:28 AM

    For MSCHAPv2, and access to the password for the user, that is what the domain join is needed for. That access to the password for the user is also exactly the reason why you shouldn't use password authentication for 802.1X. If your customer wants password authentication, you should point them to the fact that they are likely to deploy something that is insecure.

    TEAP can use MSCHAPv2 as well, but it's much harder to configure it wrong, but TEAP with MSCHAPv2 requires the AD join as well.

    As said, it may be that it just works for the MSCHAPv2 if domains are fully trusted and you join to one of them, but I don't know because it's deprecated for years and I would not suggest doing it at all.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: AD join with proper username@domain path

    Posted Dec 12, 2023 12:01 PM
    The alternate is EAP-TLS which requires certificate based authentication. Can they do it without using onboard? is it a easy practice to do EAP-TLS without using onboard?

    Best Regards
    Owais Iqbal
    CCIE#37956 | ACDX 
    Technical Consultant - Aruba Networks
    Mob/Whatsapp: +92-321-2960496






  • 6.  RE: AD join with proper username@domain path

    Posted Dec 13, 2023 07:23 AM

    For managed devices, Active Directory Group Policies or Mobile Device Management is widely used to enroll client certificates to your clients. Onboard is designed for unmanaged clients, like contractors or BYOD.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: AD join with proper username@domain path

    Posted Dec 13, 2023 07:39 AM
    Thanks Herman,

    Other then mdm, any other way to install certificates on mobile devices?





  • 8.  RE: AD join with proper username@domain path

    Posted Dec 13, 2023 08:06 AM

    Are these devices under some sort of device management?

    If so, probably best to use that.

    If not managed, ClearPass Onboard or similar tool would be the most recommended solution.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: AD join with proper username@domain path

    Posted Dec 13, 2023 08:11 AM
    Dear Herman

    You mentioned similar tool, is there any such tool available except onboard?





  • 10.  RE: AD join with proper username@domain path

    Posted Dec 13, 2023 09:29 AM

    There are several, but I'm not in the position to recommend any of them as I don't know them very well. The other tools also are commercial solutions, to there is a similar cost like ClearPass Onboard.

    For eduroam specific, there is 'geteduroam'. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: AD join with proper username@domain path

    Posted Dec 12, 2023 12:08 PM
    Also when we go to AD join window, there is this warning mentioned. I tried searching on google but no trace of it. Any idea what does it mean



    Best Regards
    Owais Iqbal
    CCIE#37956 | ACDX 
    Technical Consultant - Aruba Networks
    Mob/Whatsapp: +92-321-2960496






  • 12.  RE: AD join with proper username@domain path

    Posted Dec 13, 2023 07:27 AM

    AD has a concept of sites. One of the uses of sites is to keep authentications local, for example if you have a domain controller in a branch site, local clients should authenticate there (preferred), but your ClearPass in the data center should not use such a domain controller but one in the data center instead. This is a warning, as ClearPass may select domain controllers in a different site, causing lower performance than needed. Your AD admin can probably help you with this one.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------