Security

 View Only
last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

clearpass join domain problem

This thread has been viewed 21 times
  • 1.  clearpass join domain problem

    Posted 17 days ago
    Can clearpass join the rodc (read-only) domain?
    Because clearpass needs to write hostname in the ad domain, so I think it is not possible.
    Is it ok if clearpass's hostname is manually added in the rodc (read-only) domain?

    ------------------------------
    leo ma
    ------------------------------


  • 2.  RE: clearpass join domain problem

    EMPLOYEE
    Posted 17 days ago
    Domain join is only needed if you deploy PEAP-MSCHAPv2, which is deprecated because the underlying cryptography is obsolete and broken.

    And I'm quite sure that you can't join computers/servers to a RODC. Adding the hostname is not enough, because a computer account has to be created, and for that afaik you need a writable domain controller.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: clearpass join domain problem

    Posted 17 days ago
    hi robers
     i use eap peap and eap mschapv2,If no domain is added, the user password verification will fail.,


    ------------------------------
    leo ma
    ------------------------------



  • 4.  RE: clearpass join domain problem

    Posted 17 days ago
    hi Robers
       i use dc ad join domain。then password servers use rodc 。
       Does my 802.1x authentication fail when the line to the dc domain goes down?


    ------------------------------
    leo ma
    ------------------------------



  • 5.  RE: clearpass join domain problem
    Best Answer

    EMPLOYEE
    Posted 17 days ago
    There are 2 things here:
    - Kerberos / Domain join for the MSCHAPv2 authentication (again: PEAP-MSCHAPv2 IS DEPRECATED DO NOT USE MSCHAPv2!!! YOU DEPLOY AN INSECURE NETWORK with very few exceptions). This is what uses the password servers, and if you can reach your RODC that should work, also considering the DNS servers that ClearPass uses can still resolve the domain servers in your domain.
    - Authentication source for the LDAP Authorization. If that points to ad1 and ad1 becomes unavailable, the authentication will time out. If that points to your rodc, or if you have a still operational backup server configured, then that should work as well. Also here make sure that DNS works and does not go down with your ad1.

    For a successful EAP-PEAP-MSCHAPv2 802.1X authentication, both must work an be available.

    The questions you ask are more Active Directory high-availability/redundancy questions. For ClearPass the AD services (Kerberos & LDAP) just need to be available.

    I would highly recommend to deploy EAP-TLS instead of PEAP-MSCHAPv2. For EAP-TLS you should not join the domain and the use of a RODC is a no-brainer which just works.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: clearpass join domain problem

    Posted 17 days ago
    hi Robers
      Thank you very much for your reply.
    Because customers do not have the conditions to use TLS, they can only use the EAP-PEAP-MSCHAPv2 802.1X authentication method.

    ------------------------------
    leo ma
    ------------------------------



  • 7.  RE: clearpass join domain problem

    EMPLOYEE
    Posted 17 days ago
    My point is that they can't use MSCHAPv2, unless they are fine that the AD credentials of their users leak out. Or they should have 100% control over their clients, in which case using EAP-TLS is trivial.

    At least make the risk and very strong deprecation of MSCHAPv2 clear to your customer. Also, expect issues like with the latest Windows 11 update where PEAP stopped working.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: clearpass join domain problem

    Posted 16 days ago
    hi Robers
      Thank you very much for the reminder, I will inform the customer about this issue, and we will also pay attention to this issue in future implementations.


    ------------------------------
    leo ma
    ------------------------------