Wireless Access

 View Only
last person joined: 8 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Clear Pass Corp_User login LDAP

This thread has been viewed 79 times
  • 1.  Clear Pass Corp_User login LDAP

    Posted Nov 14, 2022 12:36 PM
    I am new to Arruba, my customer has asked me to set up an SSID user company. The client has a Cisco WLC and clear pass, and they want these users to log in using their LDAP credentials.

    My configuration is attached. I want to know if it's accurate.

    I can't access LDAP because it is managed by other individuals, therefore I imagine I would have to see if there is a corp user.


    PICPICKSHAPE


  • 2.  RE: Clear Pass Corp_User login LDAP

    MVP EXPERT
    Posted Nov 14, 2022 02:11 PM
    Hi Athan,

    You can configure LDAP under Configuration > Authentication > Sources.

    When using username/password (EAP-PEAP MSCHAPv2) as authentication method your ClearPass must be AD Joined. Noted that this authentication method is pretty unsecure and can easily leak AD Credentials to the public, therefore login with AD username/password is not recommended.

    When using certificate based (EAP-TLS) as authentication method your ClearPass not need to be AD Joined to lookup the Active Directory over LDAP (or better LDAP over TLS (port636)). This method is the most secure deployment and can be done at computer of user based certificates. You need to enroll the certifcates to your clients by using a MDM, Intune or GPO.

    For both EAP-PEAP or EAP-TLS you need to configure RADIUS on the wlan controller and ClearPass to exchange the EAP messages.

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: Clear Pass Corp_User login LDAP

    Posted Nov 15, 2022 12:16 PM
    Thank you for responding.

    Yes, I am aware that EAp-TLS is safer in this situation, however my client wants me to log in using AD.

    I'll have to test it with my client tomorrow, but I'd want to share my settings with you today.

    JOIN AD











  • 4.  RE: Clear Pass Corp_User login LDAP

    MVP EXPERT
    Posted Nov 15, 2022 01:18 PM
    Hi Athan,

    Basic config looks ok for me...

    • ClearPass Server is AD Joined (needed for EAP-PEAP only)
    • You can browse the AD over LDAP port 389 (maybe a good choice to use LDAP over TLS port 636 for security)
    • Service looks OK (iám not familiar with the Radius:Airespace attributes but let see if it hit)
    • What is your enforcement policy and enforcement profiles look like (only needed if you want troubleshoot further)

    Hope your tests will done successful tomorrow. Let us known.

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 5.  RE: Clear Pass Corp_User login LDAP

    Posted Nov 17, 2022 11:37 AM
    My client attempted to connect to the SSID but was unsuccessful since he had entered his domain  credentials in the SSID that I am unable to access. However, I am unable to view any log in the clear pass.




  • 6.  RE: Clear Pass Corp_User login LDAP

    MVP EXPERT
    Posted Nov 17, 2022 12:08 PM
    If there is no information in the accesstracker check the eventlog for unauthorized NAD devices. Did you configure the wlan controller as NAD device in ClearPass?

    Verzonden vanuit Outlook voor iOS





  • 7.  RE: Clear Pass Corp_User login LDAP

    Posted Nov 17, 2022 04:50 PM
    Hi, thanks for your reply.
    Tomorrow I will check even the logs for unauthorized
    Yes, I configured the WLCP controller as a device in clear pass in the first post. You can see the image.
    My client has two WLCs. I did the test only in the 5508. is more familiar to me, today I read a manual to configure the 9800. My client has some AP in the 9800, and I will have to do the test tomorrow, but I don't know if the configuration for the WLAN will be good.


  • 8.  RE: Clear Pass Corp_User login LDAP

    Posted Nov 22, 2022 06:19 AM
    Hello

    I think I have two issues:

    The manager IP is not routing, which is the initial issue. I configured the WLC's management IP.
    The IP data external port is configured ( this network is routeble for the client server )



    Te problem is I cant see in the data port the IP








  • 9.  RE: Clear Pass Corp_User login LDAP

    Posted Nov 23, 2022 02:10 AM
    @mkk​ any idea??


  • 10.  RE: Clear Pass Corp_User login LDAP

    EMPLOYEE
    Posted Nov 23, 2022 08:54 AM
    Do you need both management and data port? That is not recommended unless you absolutely need it and understand how the dual port setup works. For troubleshooting, having a single interface will make things easier.

    Also, it seems you run ClearPass 6.9.0. Please make sure that you upgrade to at least the latest 6.9.x hotfix. If after that, you still require 2 interfaces, and the data port does not show up, open a TAC Support case as there seems to be an issue with your installation.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: Clear Pass Corp_User login LDAP

    Posted Nov 23, 2022 03:02 PM
    Hello and thanks for your help.
    Let me describe the situation because I think I need two interfaces.
    My customer has two ranges: one for a server that is enrutable and one for the managment i am using the mannagment range is not enrutable. for get in the clear pass via vpn , which
    For these reasons, I am unable to get pings when I go to the interface management clear pass on the WLC device. I will need to construct a different interface with clear pass range server clients and add this IP to the wlc due to these reasons. How do you think ?
     I believe that my client has a perfect score on the virtual machine.-
    Document - Aruba ClearPass - 6.8 - How to Update the Software on the ClearPass Server | HPE Support

    My current version