Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Active directory join issue

This thread has been viewed 16 times
  • 1.  ClearPass Active directory join issue

    Posted Oct 03, 2023 02:50 PM

    Dear Experts, 

    One of my customer (during PoC) doesnt want to provide Account Operators user for CPPM to join the domain. According to them its insecure since such user has the permission to create accounts etc in AD.

    So how you guys do it? are other customers ok with providing such account for domain join? or is there any other type of account that can also be used for domain joining?



  • 2.  RE: ClearPass Active directory join issue

    EMPLOYEE
    Posted Oct 03, 2023 05:58 PM

    i guess the first thing is that you only need ClearPass node to join the domain if  your want to do EAP-PEAP authentication and not for EAP-TLS auth which should be the way to do it.

    The second thing is, in case you need to join the domain, its a one time operation and for that you need to have admin rights. After ClearPass has joined, you can delete the that admin account that was used, its up to you.

    Finally the domain bind (when creating an auth source) requires a service account with read permissions.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: ClearPass Active directory join issue

    Posted Oct 03, 2023 09:37 PM
    Thanks Ariya

    Yes i tried that and it worked. For authentication source i simply used a normal domain user account with no other membership and it worked well like when i did search base dn, it was showing me the tree.





  • 4.  RE: ClearPass Active directory join issue

    MVP
    Posted Oct 06, 2023 09:40 AM

    Actually is is only needed for EAP-PEAP-MSCHAPv2 to decode the encrypted passwords.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 5.  RE: ClearPass Active directory join issue

    Posted Oct 03, 2023 05:58 PM
    Hello,

    how do they join a client to domain?
    Is this also insecure?

    For joining a client to domain, the user must only be provided once. This password will not be stored.
    You don‘t have to use a domain admin, just a user
    Who is delegated to add computers to the domain by joining them (any domain user, per default).
    So this task is as secure, as it is to join your pc to the domain.

    For more details how to delegate such permissions, you can can check this MS forum post:
    https://learn.microsoft.com/en-us/answers/questions/764328/delegate-domain-join-only-permission-to-a-standard

    ---------------------------------
    Best regards, mom
    ---------------------------------