Wireless Access

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Hi Athan,

Basic config looks ok for me...

• ClearPass Server is AD Joined (needed for EAP-PEAP only)
• You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
• Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
• What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

Hope your tests will done successful tomorrow. Let us known.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.


Original Message:
Sent: Nov 15, 2022 01:18 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

Basic config looks ok for me...

• ClearPass Server is AD Joined (needed for EAP-PEAP only)
• You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
• Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
• What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

Hope your tests will done successful tomorrow. Let us known.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Original Message:
Sent: 11/17/2022 11:37:00 AM
From: athan
Subject: RE: Clear Pass Corp_User login LDAP

My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.


Original Message:
Sent: Nov 15, 2022 01:18 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

Basic config looks ok for me...

• ClearPass Server is AD Joined (needed for EAP-PEAP only)
• You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
• Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
• What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

Hope your tests will done successful tomorrow. Let us known.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Hi, thanks for your reply.
Tomorrow I will check even the logs for unauthorized
Yes, I configured the WLCP controller as a device in clear pass in the first post. You can see the image.
My client has two WLCs. I did the test only in the 5508. is more familiar to me, today I read a manual to configure the 9800. My client has some AP in the 9800, and I will have to do the test tomorrow, but I don't know if the configuration for the WLAN will be good.
Original Message:
Sent: Nov 17, 2022 12:08 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

If there is no information in the accesstracker check the eventlog for unauthorized NAD devices. Did you configure the wlan controller as NAD device in ClearPass?

Verzonden vanuit Outlook voor iOS

Original Message:
Sent: 11/17/2022 11:37:00 AM
From: athan
Subject: RE: Clear Pass Corp_User login LDAP

My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.


Original Message:
Sent: Nov 15, 2022 01:18 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

Basic config looks ok for me...

• ClearPass Server is AD Joined (needed for EAP-PEAP only)
• You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
• Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
• What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

Hope your tests will done successful tomorrow. Let us known.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Hello

I think I have two issues:

The manager IP is not routing, which is the initial issue. I configured the WLC's management IP.
The IP data external port is configured ( this network is routeble for the client server )



Te problem is I cant see in the data port the IP






Original Message:
Sent: Nov 17, 2022 12:08 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

If there is no information in the accesstracker check the eventlog for unauthorized NAD devices. Did you configure the wlan controller as NAD device in ClearPass?

Verzonden vanuit Outlook voor iOS

Original Message:
Sent: 11/17/2022 11:37:00 AM
From: athan
Subject: RE: Clear Pass Corp_User login LDAP

My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.


Original Message:
Sent: Nov 15, 2022 01:18 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

Basic config looks ok for me...

• ClearPass Server is AD Joined (needed for EAP-PEAP only)
• You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
• Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
• What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

Hope your tests will done successful tomorrow. Let us known.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

@mkk​ any idea??
Original Message:
Sent: Nov 22, 2022 06:19 AM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Hello

I think I have two issues:

The manager IP is not routing, which is the initial issue. I configured the WLC's management IP.
The IP data external port is configured ( this network is routeble for the client server )



Te problem is I cant see in the data port the IP






Original Message:
Sent: Nov 17, 2022 12:08 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

If there is no information in the accesstracker check the eventlog for unauthorized NAD devices. Did you configure the wlan controller as NAD device in ClearPass?

Verzonden vanuit Outlook voor iOS

Original Message:
Sent: 11/17/2022 11:37:00 AM
From: athan
Subject: RE: Clear Pass Corp_User login LDAP

My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.


Original Message:
Sent: Nov 15, 2022 01:18 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

Basic config looks ok for me...

• ClearPass Server is AD Joined (needed for EAP-PEAP only)
• You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
• Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
• What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

Hope your tests will done successful tomorrow. Let us known.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Do you need both management and data port? That is not recommended unless you absolutely need it and understand how the dual port setup works. For troubleshooting, having a single interface will make things easier.

Also, it seems you run ClearPass 6.9.0. Please make sure that you upgrade to at least the latest 6.9.x hotfix. If after that, you still require 2 interfaces, and the data port does not show up, open a TAC Support case as there seems to be an issue with your installation.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 22, 2022 06:19 AM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Hello

I think I have two issues:

The manager IP is not routing, which is the initial issue. I configured the WLC's management IP.
The IP data external port is configured ( this network is routeble for the client server )



Te problem is I cant see in the data port the IP






Original Message:
Sent: Nov 17, 2022 12:08 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

If there is no information in the accesstracker check the eventlog for unauthorized NAD devices. Did you configure the wlan controller as NAD device in ClearPass?

Verzonden vanuit Outlook voor iOS

Original Message:
Sent: 11/17/2022 11:37:00 AM
From: athan
Subject: RE: Clear Pass Corp_User login LDAP

My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.


Original Message:
Sent: Nov 15, 2022 01:18 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

Basic config looks ok for me...

• ClearPass Server is AD Joined (needed for EAP-PEAP only)
• You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
• Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
• What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

Hope your tests will done successful tomorrow. Let us known.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 15, 2022 12:16 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

Thank you for responding.

Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

JOIN AD









Original Message:
Sent: Nov 14, 2022 02:10 PM
From: marcel koedijk
Subject: Clear Pass Corp_User login LDAP

Hi Athan,

You can configure LDAP under Configuration > Authentication > Sources.

When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Nov 13, 2022 04:49 PM
From: John ramos
Subject: Clear Pass Corp_User login LDAP

I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

My configuration is attached. I want to know if it's accurate.

I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


PICPICKSHAPE

Hello and thanks for your help.
Let me describe the situation because I think I need two interfaces.
My customer has two ranges: one for a server that is enrutable and one for the managment i am using the mannagment range is not enrutable. for get in the clear pass via vpn , which
For these reasons, I am unable to get pings when I go to the interface management clear pass on the WLC device. I will need to construct a different interface with clear pass range server clients and add this IP to the wlc due to these reasons. How do you think ?
 I believe that my client has a perfect score on the virtual machine.-
Document - Aruba ClearPass - 6.8 - How to Update the Software on the ClearPass Server | HPE Support

My current version