Security

You've set the usage of the certificate in the trust list for AD/LDAP servers?

Original Message:
Sent: Feb 10, 2025 11:48 PM
From: nwagh
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Hi,

i am switching ClearPass authentication source from LDAP to LDAPS and getting below error message. What could be the possibility of the issue.

1. Firewall port already been opened from ClearPass to AD
2. AD side already added the ClearPass entries.
3. Mapped correct certificate under the server certificate.

CONFIDENTIALITY CAUTION: This message is intended only for the use of the individual or entity to whom it is addressed and contains information that is privileged and confidential. If you, the reader of this message, are not the intended recipient, you should not disseminate, distribute, or copy this communication. If you have received this communication in error, please notify us immediately by return email and delete the original message.

Try 

This would effectively be the preferred method (standards based) and apply the certificate and as Carson mentioned make sure AD/LDAP servers is selected for that certificate in the trust list.

------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
------------------------------

Original Message:
Sent: Feb 10, 2025 11:48 PM
From: nwagh
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Hi,

i am switching ClearPass authentication source from LDAP to LDAPS and getting below error message. What could be the possibility of the issue.

1. Firewall port already been opened from ClearPass to AD
2. AD side already added the ClearPass entries.
3. Mapped correct certificate under the server certificate.

CONFIDENTIALITY CAUTION: This message is intended only for the use of the individual or entity to whom it is addressed and contains information that is privileged and confidential. If you, the reader of this message, are not the intended recipient, you should not disseminate, distribute, or copy this communication. If you have received this communication in error, please notify us immediately by return email and delete the original message.

Yes, AD/LADAP usage already been added to certificate

We have requirement below

Connection Secuity: AD over SSL

port: 636

Original Message:
Sent: Feb 11, 2025 10:57 AM
From: pmonardo
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Try 

This would effectively be the preferred method (standards based) and apply the certificate and as Carson mentioned make sure AD/LDAP servers is selected for that certificate in the trust list.

------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP

Original Message:
Sent: Feb 10, 2025 11:48 PM
From: nwagh
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Hi,

i am switching ClearPass authentication source from LDAP to LDAPS and getting below error message. What could be the possibility of the issue.

1. Firewall port already been opened from ClearPass to AD
2. AD side already added the ClearPass entries.
3. Mapped correct certificate under the server certificate.

CONFIDENTIALITY CAUTION: This message is intended only for the use of the individual or entity to whom it is addressed and contains information that is privileged and confidential. If you, the reader of this message, are not the intended recipient, you should not disseminate, distribute, or copy this communication. If you have received this communication in error, please notify us immediately by return email and delete the original message.

Please check on AD side for the trust certificate and other errors. You should have AD CA trusted certificates imported in Clearpass Trusted list and AD/LDAP enabled for all of them. By your words is already done. Just check the whole AD certificate trusted chain to be sure.

Usually this is all from Clearpass side to be done. 

For test you can disable Server Certificate check.

Best, Gorazd

Original Message:
Sent: Feb 11, 2025 11:00 PM
From: nwagh
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Yes, AD/LADAP usage already been added to certificate

We have requirement below

Connection Secuity: AD over SSL

port: 636

------------------------------
Best Regards,
Nilesh

Original Message:
Sent: Feb 11, 2025 10:57 AM
From: pmonardo
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Try 

This would effectively be the preferred method (standards based) and apply the certificate and as Carson mentioned make sure AD/LDAP servers is selected for that certificate in the trust list.

------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP

Original Message:
Sent: Feb 10, 2025 11:48 PM
From: nwagh
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Hi,

i am switching ClearPass authentication source from LDAP to LDAPS and getting below error message. What could be the possibility of the issue.

1. Firewall port already been opened from ClearPass to AD
2. AD side already added the ClearPass entries.
3. Mapped correct certificate under the server certificate.

CONFIDENTIALITY CAUTION: This message is intended only for the use of the individual or entity to whom it is addressed and contains information that is privileged and confidential. If you, the reader of this message, are not the intended recipient, you should not disseminate, distribute, or copy this communication. If you have received this communication in error, please notify us immediately by return email and delete the original message.

This is from another post by @esupport how to diagnose and correct AD certificate errors (Troubleshooting ClearPass LDAP AD over SSL):

Diagnostics:

Configuration needs to verify:

·    port 636 should be open between ClearPass to LDAP server.

·     Add the CA certificate of the LDAP server to the Certificate Trust List.

·     Certificate usage must be selected as "EAP" and "AD/LDAP Servers" in the Trust List.

·      LDAP Authentication Source hostname should match Certificate CN or SAN field.

Solution

Below are some of the common issues with AD over SSL connection:

1. Hostname mismatch with Certificate:

Error Messages:

Access Tracker Alert: 

bind failed - Can't contact LDAP server

Radius Debug Logs:

2020-12-31 00:42:36,684 [Th 27 Req 18 SessId R00000012-11-5fecd124] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
2020-12-31 00:42:36,684 [Th 27 Req 18 SessId R00000012-11-5fecd124] ERROR RadiusServer.Radius - rlm_ldap: TLS: hostname does not match CN in peer certificate

Solution:

LDAP authentication source hostname should match with Active Directory certificate/LDAP certificate CN. Or the hostname/FQDN should be present in SAN (Subject Alternative Name) DNS filed. 

2. AD/LDAP Certificate not present in ClearPass Trust list:

AD/LDAP certificate should be present in the ClearPass Trust list. We will get the below error if it doesn't contain the requried certificates.

Radius Debug Logs:

2020-12-31 01:33:13,232 [Th 28 Req 19 SessId R00000013-11-5fecdd01] ERROR RadiusServer.Radius - rlm_ldap: james@clearwave.aruba.com bind to win19-165.clearwave.aruba.com:636 failed: Can't contact LDAP server
2020-12-31 01:33:13,232 [Th 28 Req 19 SessId R00000013-11-5fecdd01] ERROR RadiusServer.Radius - rlm_ldap: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

·         In the packet capture, we can see ClearPass responds "Unknwon CA" for the Server Hello (certificate) packet.

Note: 

·         While adding AD certificate in ClearPass Trust list (Administration >> Certificates >> Trust List) need to specify the following Usages "EAP" and "AD/LDAP Servers".

Original Message:
Sent: Feb 12, 2025 02:57 AM
From: GorazdKikelj
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Please check on AD side for the trust certificate and other errors. You should have AD CA trusted certificates imported in Clearpass Trusted list and AD/LDAP enabled for all of them. By your words is already done. Just check the whole AD certificate trusted chain to be sure.

Usually this is all from Clearpass side to be done. 

For test you can disable Server Certificate check.

Best, Gorazd

 

------------------------------
Gorazd Kikelj
MVP Guru 2025

Original Message:
Sent: Feb 11, 2025 11:00 PM
From: nwagh
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Yes, AD/LADAP usage already been added to certificate

We have requirement below

Connection Secuity: AD over SSL

port: 636

------------------------------
Best Regards,
Nilesh

Original Message:
Sent: Feb 11, 2025 10:57 AM
From: pmonardo
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Try 

This would effectively be the preferred method (standards based) and apply the certificate and as Carson mentioned make sure AD/LDAP servers is selected for that certificate in the trust list.

------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP

Original Message:
Sent: Feb 10, 2025 11:48 PM
From: nwagh
Subject: Getting error when switching ClearPass authentication source from LDAP to LDAPS

Hi,

i am switching ClearPass authentication source from LDAP to LDAPS and getting below error message. What could be the possibility of the issue.

1. Firewall port already been opened from ClearPass to AD
2. AD side already added the ClearPass entries.
3. Mapped correct certificate under the server certificate.

CONFIDENTIALITY CAUTION: This message is intended only for the use of the individual or entity to whom it is addressed and contains information that is privileged and confidential. If you, the reader of this message, are not the intended recipient, you should not disseminate, distribute, or copy this communication. If you have received this communication in error, please notify us immediately by return email and delete the original message.