Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CP with AD auth to multi forest trust

This thread has been viewed 14 times
  • 1.  CP with AD auth to multi forest trust

    Posted Sep 04, 2024 10:45 AM

    Hi all,

    I'm not sure if what I'm trying to do is a valid design and need some assistance. We are building a secure environment and have a dedicated clear pass server that talks to this new secure.local domain. the domain/forest has a trust with user.local forest and we would like to have a group in secure.local with individual users from user.local. so far so good. 

    we can authenticate with a user that is part of secure.local but not with any users that are from user.local in the same group.

    I'm doing a GC query on port 3268 and can browse AD will this work?



  • 2.  RE: CP with AD auth to multi forest trust

    EMPLOYEE
    Posted Sep 04, 2024 07:07 PM

    Been a really long time since I've had to look at a multi-forest setup.

    Double check the trust relationship is of the correct type.

    What kind of authentications are you going to be using?

    Something to look at:  https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=b0fb0082-e715-4014-8370-dbba08115aef&CommunityKey=3dd64143-3ac3-4152-9abd-06dc0b4ecdd1&tab=librarydocuments



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: CP with AD auth to multi forest trust

    Posted Sep 05, 2024 06:19 AM

    thanks, 

    when you say correct trust relationship type. you mean eg: one way, transitive...etc? and Auth to LDAP is none at the moment while i try and get this working.




  • 4.  RE: CP with AD auth to multi forest trust

    EMPLOYEE
    Posted Sep 05, 2024 10:58 AM

    Probably best off opening a case with TAC to troubleshoot what you've got.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: CP with AD auth to multi forest trust

    Posted Sep 06, 2024 03:49 AM

    What is your authentication method?

    The LDAP/Global Catalog is just for authorization information, and if you want to do PEAP-MSCHAPv2 (DEPRECATED!!!!!) you would need to join the individual domains.

    If you can share the output of Access Tracker for one working and one non-working user, most specific the Alerts tab, that may provide an indication of what's going on.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------