Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Clear Pass Corp_User login LDAP

This thread has been viewed 67 times
  • 1.  Clear Pass Corp_User login LDAP

    Posted 20 days ago
    I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

    My configuration is attached. I want to know if it's accurate.

    I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


    PICPICKSHAPE


  • 2.  RE: Clear Pass Corp_User login LDAP

    MVP EXPERT
    Posted 20 days ago
    Hi Athan,

    You can configure LDAP under Configuration > Authentication > Sources.

    When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

    When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

    For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: Clear Pass Corp_User login LDAP

    Posted 19 days ago
    Thank you for responding.

    Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

    I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

    JOIN AD











  • 4.  RE: Clear Pass Corp_User login LDAP

    MVP EXPERT
    Posted 19 days ago
    Hi Athan,

    Basic config looks ok for me...

    • ClearPass Server is AD Joined (needed for EAP-PEAP only)
    • You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
    • Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
    • What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

    Hope your tests will done successful tomorrow. Let us known.

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 5.  RE: Clear Pass Corp_User login LDAP

    Posted 17 days ago
    My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.




  • 6.  RE: Clear Pass Corp_User login LDAP

    MVP EXPERT
    Posted 17 days ago
    If there is no information in the accesstracker check the eventlog for unauthorized NAD devices. Did you configure the wlan controller as NAD device in ClearPass?

    Verzonden vanuit Outlook voor iOS





  • 7.  RE: Clear Pass Corp_User login LDAP

    Posted 17 days ago
    Hi, thanks for your reply.
    Tomorrow I will check even the logs for unauthorized
    Yes, I configured the WLCP controller as a device in clear pass in the first post. You can see the image.
    My client has two WLCs. I did the test only in the 5508. is more familiar to me, today I read a manual to configure the 9800. My client has some AP in the 9800, and I will have to do the test tomorrow, but I don't know if the configuration for the WLAN will be good.


  • 8.  RE: Clear Pass Corp_User login LDAP

    Posted 12 days ago
    Hello

    I think I have two issues:

    The manager IP is not routing, which is the initial issue. I configured the WLC's management IP.
    The IP data external port is configured ( this network is routeble for the client server )



    Te problem is I cant see in the data port the IP








  • 9.  RE: Clear Pass Corp_User login LDAP

    Posted 11 days ago
    @mkk​ any idea??


  • 10.  RE: Clear Pass Corp_User login LDAP

    EMPLOYEE
    Posted 11 days ago
    Do you need both management and data port? That is not recommended unless you absolutely need it and understand how the dual port setup works. For troubleshooting, having a single interface will make things easier.

    Also, it seems you run ClearPass 6.9.0. Please make sure that you upgrade to at least the latest 6.9.x hotfix. If after that, you still require 2 interfaces, and the data port does not show up, open a TAC Support case as there seems to be an issue with your installation.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: Clear Pass Corp_User login LDAP

    Posted 11 days ago
    Hello and thanks for your help.
    Let me describe the situation because I think I need two interfaces.
    My customer has two ranges: one for a server that is enrutable and one for the managment i am using the mannagment range is not enrutable. for get in the clear pass via vpn , which
    For these reasons, I am unable to get pings when I go to the interface management clear pass on the WLC device. I will need to construct a different interface with clear pass range server clients and add this IP to the wlc due to these reasons. How do you think ?
     I believe that my client has a perfect score on the virtual machine.-
    Document - Aruba ClearPass - 6.8 - How to Update the Software on the ClearPass Server | HPE Support

    My current version







  • 12.  RE: Clear Pass Corp_User login LDAP

    EMPLOYEE
    Posted 10 days ago
    In such complex routing cases, it may be best to work with Aruba TAC to find out if it is doable and supported. If you want to do it yourself, make sure that you have read the Service Routing Tech Note.

    On the version, you showed the Policy Manager System Information screenshot that displayed the 6.9.0 version and no patches. With the dual interfaces you may have made the ClearPass updates inaccessible. To upgrade to 6.9.13, get the update file from the Aruba Support Portal and do a manual update.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 13.  RE: Clear Pass Corp_User login LDAP

    Posted 6 days ago
    Hi .
    I was communicating with TAC Support last Friday.
    I upgraded the most recent version after configuring the device port.

    Today I created a test with one of my clients who attempts to join using the SSID corp wlc 9800, which is set up as a ldpa server.
    I can't connect on to any clear pass in live monitoring, therefore how is it possible that I can't see anything?


  • 14.  RE: Clear Pass Corp_User login LDAP

    EMPLOYEE
    Posted 6 days ago
    If you see errors when connecting to Access Tracker, please work with Aruba support again until they fixed your issue.

    Basic troubleshooting steps:
    - See something in Access Tracker?
    - Nothing in Access Tracker: See error in Event Viewer (Unknown NAD, Shared Secret failed).
    - Nothing in Event Viewer either: Request is not reaching ClearPass; check routing/firewalls, run packet capture on ClearPass (or other places in the network) to verify that the RADIUS request does or does not reach ClearPass.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 15.  RE: Clear Pass Corp_User login LDAP

    Posted 2 days ago
    The issue was resolved.
    Clear Pass and WLC weren't in communication while I was doing my test ( in the clients firewall they dont have permit the port 1812 1813 ).

    My clients wish to connect their mobile devices to the same SSID.
    Is there any way to achieve a clear pass?
    there is a chance?