There are 2 things here:
- Kerberos / Domain join for the MSCHAPv2 authentication (again: PEAP-MSCHAPv2 IS DEPRECATED
DO NOT USE MSCHAPv2!!! YOU DEPLOY AN INSECURE NETWORK with very few exceptions). This is what uses the password servers, and if you can reach your RODC that should work, also considering the DNS servers that ClearPass uses can still resolve the domain servers in your domain.
- Authentication source for the LDAP Authorization. If that points to ad1 and ad1 becomes unavailable, the authentication will time out. If that points to your rodc, or if you have a still operational backup server configured, then that should work as well. Also here make sure that DNS works and does not go down with your ad1.
For a successful EAP-PEAP-MSCHAPv2 802.1X authentication, both must work an be available.
The questions you ask are more Active Directory high-availability/redundancy questions. For ClearPass the AD services (Kerberos & LDAP) just need to be available.
I would highly recommend to deploy EAP-TLS instead of PEAP-MSCHAPv2. For EAP-TLS you should not join the domain and the use of a RODC is a no-brainer which just works.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 17, 2022 06:34 AM
From: zhipeng ma
Subject: clearpass join domain problem
hi Robers
i use dc ad join domain。then password servers use rodc 。
Does my 802.1x authentication fail when the line to the dc domain goes down?
------------------------------
leo ma
Original Message:
Sent: Nov 17, 2022 05:00 AM
From: Herman Robers
Subject: clearpass join domain problem
Domain join is only needed if you deploy PEAP-MSCHAPv2, which is deprecated because the underlying cryptography is obsolete and broken.
And I'm quite sure that you can't join computers/servers to a RODC. Adding the hostname is not enough, because a computer account has to be created, and for that afaik you need a writable domain controller.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 17, 2022 02:55 AM
From: zhipeng ma
Subject: clearpass join domain problem
Can clearpass join the rodc (read-only) domain?
Because clearpass needs to write hostname in the ad domain, so I think it is not possible.
Is it ok if clearpass's hostname is manually added in the rodc (read-only) domain?
------------------------------
leo ma
------------------------------