Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Best practice for configuring the AD authentication source ,

This thread has been viewed 31 times
  • 1.  Best practice for configuring the AD authentication source ,

    Posted Feb 20, 2024 03:42 AM
    For example we have 6 AD source  in our setup like INDC1,INDC2,,YDC1,YDC2,SDC1,SDC2
     
    Is the best way to configure INDC2 under backup server priority INDC1.Similary for other AD's
     
    So in radius service AD source we will have 3 AD servers.
     
    1. Will the username be checked across all AD sources?
    2. How does this server timeout function in practice?


  • 2.  RE: Best practice for configuring the AD authentication source ,

    EMPLOYEE
    Posted Feb 20, 2024 03:55 AM

    Assuming this is about ClearPass...

    If you have multiple AD servers in one Authentication Source, ClearPass will try the first, and if it's not responding within the time configured, it will use the second, and so on. So just one LDAP (AD) server will be used under normal circumstances, the backups are just used if the higher ranked servers are not reachable/responding. A non-responding server will be marked down for 2 minutes, and not tested during that time.

    If you have multiple Authentication Sources in your service, ClearPass will try them in order until the username is found in one. If the user is not available in the authentication source, it will continue with the next source and try again. Once the username is found, ClearPass will perform the authentication/authorization, and respond whatever is found there and stop further processing.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Best practice for configuring the AD authentication source ,

    Posted Feb 20, 2024 02:12 PM

    2 Minutes wait time is a default value ? whether we can view the time configuration anywhere in clearpass

    In Active Directory we have configured time out value as 10 sec - what is the use of it ?

    Also, if we add 2 backup AD server under one  AD authentication server , whether it will bring any changes in the authentication flow instead of adding all three ias separate AD severs in authentication source.




  • 4.  RE: Best practice for configuring the AD authentication source ,

    EMPLOYEE
    Posted Feb 21, 2024 07:26 AM

    The 10 second timeout controls that if the AD server takes more time than that to respond, ClearPass will go to the next backup server in the same authentication source. That 2 minutes is the retry timeout, and it's not configurable as far as I know, but once ClearPass has marked a server down (as it did not respond within the 10 seconds, or other configured timeout in the Authentication Source).

    If you have AD servers for the same domain, you should probably add them in the same authentication source. Otherwise you would need to check authorization, like group membership, in each of them.

    Example with Authentication Source for AD with primary dc1 and backups dc2 and dc3; your role mapping based on groups would then be Authentication[AD] Groups EQUALS Domain Admins => Role;

    When 3 different authentication sources dc1, dc2, dc3, the same would be: Authentication[dc1] Groups EQUALS Domain Admins OR  Authentication[dc2] Groups EQUALS Domain Admins OR Authentication[dc3] Groups EQUALS Domain Admins => Role

    I would use different Authentication Sources for servers that have different information.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Best practice for configuring the AD authentication source ,

    Posted Mar 04, 2024 10:29 PM

    Thank You @Herman Robers for the detailed explanation