Security

 View Only
  • 1.  clearpass join domain problem

    Posted Nov 17, 2022 02:56 AM
    Can clearpass join the rodc (read-only) domain?
    Because clearpass needs to write hostname in the ad domain, so I think it is not possible.
    Is it ok if clearpass's hostname is manually added in the rodc (read-only) domain?

    ------------------------------
    leo ma
    ------------------------------


  • 2.  RE: clearpass join domain problem

    Posted Nov 17, 2022 05:00 AM
    Domain join is only needed if you deploy PEAP-MSCHAPv2, which is deprecated because the underlying cryptography is obsolete and broken.

    And I'm quite sure that you can't join computers/servers to a RODC. Adding the hostname is not enough, because a computer account has to be created, and for that afaik you need a writable domain controller.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: clearpass join domain problem

    Posted Nov 17, 2022 05:35 AM
    hi robers
     i use eap peap and eap mschapv2,If no domain is added, the user password verification will fail.,


    ------------------------------
    leo ma
    ------------------------------



  • 4.  RE: clearpass join domain problem

    Posted Nov 17, 2022 06:35 AM
    hi Robers
       i use dc ad join domain。then password servers use rodc 。
       Does my 802.1x authentication fail when the line to the dc domain goes down?


    ------------------------------
    leo ma
    ------------------------------



  • 5.  RE: clearpass join domain problem
    Best Answer

    Posted Nov 17, 2022 08:14 AM
    There are 2 things here:
    - Kerberos / Domain join for the MSCHAPv2 authentication (again: PEAP-MSCHAPv2 IS DEPRECATED DO NOT USE MSCHAPv2!!! YOU DEPLOY AN INSECURE NETWORK with very few exceptions). This is what uses the password servers, and if you can reach your RODC that should work, also considering the DNS servers that ClearPass uses can still resolve the domain servers in your domain.
    - Authentication source for the LDAP Authorization. If that points to ad1 and ad1 becomes unavailable, the authentication will time out. If that points to your rodc, or if you have a still operational backup server configured, then that should work as well. Also here make sure that DNS works and does not go down with your ad1.

    For a successful EAP-PEAP-MSCHAPv2 802.1X authentication, both must work an be available.

    The questions you ask are more Active Directory high-availability/redundancy questions. For ClearPass the AD services (Kerberos & LDAP) just need to be available.

    I would highly recommend to deploy EAP-TLS instead of PEAP-MSCHAPv2. For EAP-TLS you should not join the domain and the use of a RODC is a no-brainer which just works.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: clearpass join domain problem

    Posted Nov 17, 2022 08:58 AM
    hi Robers
      Thank you very much for your reply.
    Because customers do not have the conditions to use TLS, they can only use the EAP-PEAP-MSCHAPv2 802.1X authentication method.

    ------------------------------
    leo ma
    ------------------------------



  • 7.  RE: clearpass join domain problem

    Posted Nov 17, 2022 09:44 AM
    My point is that they can't use MSCHAPv2, unless they are fine that the AD credentials of their users leak out. Or they should have 100% control over their clients, in which case using EAP-TLS is trivial.

    At least make the risk and very strong deprecation of MSCHAPv2 clear to your customer. Also, expect issues like with the latest Windows 11 update where PEAP stopped working.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: clearpass join domain problem

    Posted Nov 17, 2022 10:21 PM
    hi Robers
      Thank you very much for the reminder, I will inform the customer about this issue, and we will also pay attention to this issue in future implementations.


    ------------------------------
    leo ma
    ------------------------------