AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

How to join CPPM to a Active Directory domain to a specific OU 

Apr 09, 2015 08:17 AM

In earlier CPPM versions <6.3, we did not have the capability to enforce the CPPM to create a computer account in a specified OU.
It will create an account in default "Computers" OU and the domain Administrator has to move this object to specific OU as desired.

 

From CPPM version 6.3, we can join CPPM to the Active directory domain and it can create a computer account in the specified OU using CLI.

 

Environment : A typical environment would require CPPM to join to the domain to accomplish domain users authentication using PEAP-EAP-MSCHAPv2 

 

Network Topology : 

 

Any CPPM server version greater than 6.2 with a Windows Domain Controller. I have used CPPM version 6.3.4 and a 2008 Windows Domain Controller(standalone).

FQDN of Domain Controller : windc2k8.ns-lab.com
Hostname of CPPM : TESTCPPM77

 

 

1. Create a OU Aruba-2 within Aruba-1 which inturn is within Aruba. Please find the dsquery output below:

 

rtaImage.png

 

2. Create a security group called Aruba2-OU-admin_group. Delegate the control of the OU to this group and a user called “sam” in the OU:

 

rtaImage (1).png

 

3. While, delegating the control for this OU, choose “Create a custom task to delegate” and in the next screen, “Only the following objects in folder” with Computer Objects selected with Read/Write the Computer Objects:

rtaImage (2).png

 

rtaImage (3).png

 

4. Try joining the Clearpass to the domain with the the OU admin “sam” account in the CLI using ad netjoin command. It should create a machine account in the specified OU. 

CLI command:

1. ad netjoin <FQDN of the Domain Controller> ou=Aruba+Aruba-1+Aruba-2 
2. Type the OU administrator password when it is required.

 

rtaImage (4).png

 

This will eliminate the need to move the computer object from the default "Computers" OU to another OU, once the computer account has created in the Domain Controller.

 

We can check the specific OU in the Domain Controller to ensure whether the CPPM has created a machine account in the desired OU.

 

rtaImage (5).png

 

We need to ensure the OU order while joining the server to the domain. With respect to "dsquery" output that we got from Domain Controller, OU order that needs to used is from Right to Left.

Statistics
0 Favorited
5 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.