Security

 View Only
  • 1.  Question to Clearpass and Active Directory

    Posted Oct 24, 2024 10:42 AM

    Hello all,

    I've read al lot in the community post, but can't find (or get the right idea for) the answer.

    I have two different Active Directories. There both are standalone and not connected in a trust or something else. 

    Domain 1  contoso.com -  is used productive 

    Domain 2 edu.contoso.com - is only used for eduroam  authentication

    Now my goal is to create two different services in Clearpass so that I can use each of the two Active Directories for different SSID1 eduroam SSID2 contoso_staff with EAP-TLS.
    So far, I have read that for EAP-TLS, Clearpass must be included in the domain.

    But since I now have different domains, the question is how can this be solved?

    Best regards

    Michael



  • 2.  RE: Question to Clearpass and Active Directory

    Posted Oct 24, 2024 10:51 AM

    Hi Michael

    For EAP-TLS ClearPass doesn't need to be domain joined. This is only true for EAP-PEAP.

    ClearPass servers can join multiple Active Directories at the same time without any problems if there is a need to do so.

    In your case you should create two LDAP connections, one to each AD, and use them as authentication sources in the respective services.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Question to Clearpass and Active Directory

    Posted Oct 24, 2024 11:04 AM

    Hi Jonas,

    thank you very much. I tried it but allways get the answer that the user isn't found....

    So I have to dig deeper.

    Thank you very much!




  • 4.  RE: Question to Clearpass and Active Directory

    Posted Oct 25, 2024 03:02 AM

    If you can't find the users it's probably because the default query for the username only search for the user in the sAMAccountName attribute in Active Directory:

    (&(sAMAccountName=%{Authentication:Username})(objectClass=user))

    I the username provided is in another form like domain\username, username@domain.com or a UPN is provided in the form of firstname.lastname@domain.com the user will not be found.

    Modify the AD source under the Attributes tab

    Replace the original query with:

    (&(|(userPrincipalName=%{Authentication:Username}@domain.com)(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))

    This query will search for the user in both the sAMAccountName and UPN attributes of the users and handle formats like:

    To also handle domain\username you have to strip the domain part of the username in the service under the Authentication tab



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Question to Clearpass and Active Directory

    Posted Oct 25, 2024 10:59 AM
    Hello Jonas,
    thank you very much, I had seen this problem in a video by Herman, but I
    changed it as you described.
    But that doesn't seem to have been the problem.
    On my test notebook, I have two certificates, a public one and a private one
    from the domain.
    I always used the private one from the domain (I wanted to use this for
    authentication as well).
    But then today I mixed up the two certificates and used the public one. The
    connection worked immediately.
    Now I have to figure out why...
    I'm now unsure, my email address is not listed in the private certificate,
    but it is in the public certificate.
    Another problem could be that I'm using a public certificate from the same
    CA for the radius/radsec, so maybe they trust each other.
    Under Trusted Certificates, I have also integrated the domain CA as a
    trusted certificate for the use of radius and radsec.
    So I still have something to think about... Do you have any idea what the
    problem might be?
    Thank you for your help




  • 6.  RE: Question to Clearpass and Active Directory

    Posted Oct 25, 2024 11:06 AM

    If you have multiple certificates from different CA servers the client will select the certificate issued by the same CA as the RADIUS certificate on the ClearPass server. If you need to change this you need to configure certificate selection in the 802.1x profile.

    Click Advanced

    And select the CA that has issued the certificate you would like to utilize for the authentication.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------