Hello Jonas,
thank you very much, I had seen this problem in a video by Herman, but I
changed it as you described.
But that doesn't seem to have been the problem.
On my test notebook, I have two certificates, a public one and a private one
from the domain.
I always used the private one from the domain (I wanted to use this for
authentication as well).
But then today I mixed up the two certificates and used the public one. The
connection worked immediately.
Now I have to figure out why...
I'm now unsure, my email address is not listed in the private certificate,
but it is in the public certificate.
Another problem could be that I'm using a public certificate from the same
CA for the radius/radsec, so maybe they trust each other.
Under Trusted Certificates, I have also integrated the domain CA as a
trusted certificate for the use of radius and radsec.
So I still have something to think about... Do you have any idea what the
problem might be?
Thank you for your help
Original Message:
Sent: 10/25/2024 3:02:00 AM
From: jonas.hammarback
Subject: RE: Question to Clearpass and Active Directory
If you can't find the users it's probably because the default query for the username only search for the user in the sAMAccountName attribute in Active Directory:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user))
I the username provided is in another form like domain\username, username@domain.com or a UPN is provided in the form of firstname.lastname@domain.com the user will not be found.
Modify the AD source under the Attributes tab
Replace the original query with:
(&(|(userPrincipalName=%{Authentication:Username}@domain.com)(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))
This query will search for the user in both the sAMAccountName and UPN attributes of the users and handle formats like:
To also handle domain\username you have to strip the domain part of the username in the service under the Authentication tab
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Oct 24, 2024 11:03 AM
From: Signor Mic
Subject: Question to Clearpass and Active Directory
Hi Jonas,
thank you very much. I tried it but allways get the answer that the user isn't found....
So I have to dig deeper.
Thank you very much!
Original Message:
Sent: Oct 24, 2024 10:51 AM
From: jonas.hammarback
Subject: Question to Clearpass and Active Directory
Hi Michael
For EAP-TLS ClearPass doesn't need to be domain joined. This is only true for EAP-PEAP.
ClearPass servers can join multiple Active Directories at the same time without any problems if there is a need to do so.
In your case you should create two LDAP connections, one to each AD, and use them as authentication sources in the respective services.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Oct 24, 2024 10:41 AM
From: Signor Mic
Subject: Question to Clearpass and Active Directory
Hello all,
I've read al lot in the community post, but can't find (or get the right idea for) the answer.
I have two different Active Directories. There both are standalone and not connected in a trust or something else.
Domain 1 contoso.com - is used productive
Domain 2 edu.contoso.com - is only used for eduroam authentication
Now my goal is to create two different services in Clearpass so that I can use each of the two Active Directories for different SSID1 eduroam SSID2 contoso_staff with EAP-TLS.
So far, I have read that for EAP-TLS, Clearpass must be included in the domain.
But since I now have different domains, the question is how can this be solved?
Best regards
Michael