Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CP with AD auth to multi forest trust

This thread has been viewed 14 times
  • 1.  CP with AD auth to multi forest trust

    Posted 11 days ago

    Hi all,

    I'm not sure if what I'm trying to do is a valid design and need some assistance. We are building a secure environment and have a dedicated clear pass server that talks to this new secure.local domain. the domain/forest has a trust with user.local forest and we would like to have a group in secure.local with individual users from user.local. so far so good. 

    we can authenticate with a user that is part of secure.local but not with any users that are from user.local in the same group.

    I'm doing a GC query on port 3268 and can browse AD will this work?



  • 2.  RE: CP with AD auth to multi forest trust

    EMPLOYEE
    Posted 10 days ago

    Been a really long time since I've had to look at a multi-forest setup.

    Double check the trust relationship is of the correct type.

    What kind of authentications are you going to be using?

    Something to look at:  https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=b0fb0082-e715-4014-8370-dbba08115aef&CommunityKey=3dd64143-3ac3-4152-9abd-06dc0b4ecdd1&tab=librarydocuments



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: CP with AD auth to multi forest trust

    Posted 10 days ago

    thanks, 

    when you say correct trust relationship type. you mean eg: one way, transitive...etc? and Auth to LDAP is none at the moment while i try and get this working.




  • 4.  RE: CP with AD auth to multi forest trust

    EMPLOYEE
    Posted 10 days ago

    Probably best off opening a case with TAC to troubleshoot what you've got.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: CP with AD auth to multi forest trust

    Posted 9 days ago

    What is your authentication method?

    The LDAP/Global Catalog is just for authorization information, and if you want to do PEAP-MSCHAPv2 (DEPRECATED!!!!!) you would need to join the individual domains.

    If you can share the output of Access Tracker for one working and one non-working user, most specific the Alerts tab, that may provide an indication of what's going on.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------