i guess the first thing is that you only need ClearPass node to join the domain if your want to do EAP-PEAP authentication and not for EAP-TLS auth which should be the way to do it.
The second thing is, in case you need to join the domain, its a one time operation and for that you need to have admin rights. After ClearPass has joined, you can delete the that admin account that was used, its up to you.
Finally the domain bind (when creating an auth source) requires a service account with read permissions.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------
Original Message:
Sent: Oct 03, 2023 02:50 PM
From: Owais101
Subject: ClearPass Active directory join issue
Dear Experts,
One of my customer (during PoC) doesnt want to provide Account Operators user for CPPM to join the domain. According to them its insecure since such user has the permission to create accounts etc in AD.
So how you guys do it? are other customers ok with providing such account for domain join? or is there any other type of account that can also be used for domain joining?