Security

Hello community.

One of my customers uses his on prem AD accounts for administrative login to ClearPass. For this there is a service that uses the AD as authentication source and assigns an authorization to this user in the enforcement according to the groups in the AD, e.g. Super Admin.

This has worked without any problems so far.

In the course of securing the AD, the customer has now been advised to add his admin-users to the Windows group "protected users". (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)

After that, the login for these accounts no longer worked.

The error message was "Incorrect password for user=... Failed to authenticate user"

I assume this is because NTLM logins are no longer possible with these accounts.

Is there a way to connect the ClearPass to the AD in a different way or does the user have to be removed from the group again?

Hello Steffen,

The challenge you are experiencing is related to the restrictions of the Windows "Protected Users" group. According to Microsoft, members of this group cannot use NTLM authentication, which is required for Aruba ClearPass administrator logins via Active Directory.

 Short-term:

Take the affected admin accounts out of the Protected Users group. This should let you log back in to ClearPass without any issues.

Long-term:

If your organization needs to keep the Protected Users group for security reasons, it's best to keep at least one administrative account outside the group for ClearPass, until Kerberos authentication is supported.

Take a peek at Microsoft, PUG overview.

• Microsoft: Protected Users Group Overview

Hope this helps you in any way.

Cheers,

Vigan

Hello community.

One of my customers uses his on prem AD accounts for administrative login to ClearPass. For this there is a service that uses the AD as authentication source and assigns an authorization to this user in the enforcement according to the groups in the AD, e.g. Super Admin.

This has worked without any problems so far.

In the course of securing the AD, the customer has now been advised to add his admin-users to the Windows group "protected users". (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)

After that, the login for these accounts no longer worked.

The error message was "Incorrect password for user=... Failed to authenticate user"

I assume this is because NTLM logins are no longer possible with these accounts.

Is there a way to connect the ClearPass to the AD in a different way or does the user have to be removed from the group again?

Hi Vigan,

thanks for your reply.

Do you know if aruba has any plans to support Kerberos for Admin-UI-Authentication in the near future?

Regards

Hello Steffen,

The challenge you are experiencing is related to the restrictions of the Windows "Protected Users" group. According to Microsoft, members of this group cannot use NTLM authentication, which is required for Aruba ClearPass administrator logins via Active Directory.

 Short-term:

Take the affected admin accounts out of the Protected Users group. This should let you log back in to ClearPass without any issues.

Long-term:

If your organization needs to keep the Protected Users group for security reasons, it's best to keep at least one administrative account outside the group for ClearPass, until Kerberos authentication is supported.

Take a peek at Microsoft, PUG overview.

• Microsoft: Protected Users Group Overview

Hope this helps you in any way.

Cheers,

Vigan

Hello community.

One of my customers uses his on prem AD accounts for administrative login to ClearPass. For this there is a service that uses the AD as authentication source and assigns an authorization to this user in the enforcement according to the groups in the AD, e.g. Super Admin.

This has worked without any problems so far.

In the course of securing the AD, the customer has now been advised to add his admin-users to the Windows group "protected users". (https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)

After that, the login for these accounts no longer worked.

The error message was "Incorrect password for user=... Failed to authenticate user"

I assume this is because NTLM logins are no longer possible with these accounts.

Is there a way to connect the ClearPass to the AD in a different way or does the user have to be removed from the group again?