Problem:
LDAP search fails with the below error:
2016-10-07 14:18:52,822 [Th 49 Req 4374 SessId R0000034d-01-57f8032c] INFO RadiusServer.Radius - rlm_ldap: searching for user test in AD:ad2012.aruba.com
2016-10-07 14:18:52,826 [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: administrator@jacobsenconstruction.com bind to ad2012.aruba.com:636 failed: Can't contact LDAP server
2016-10-07 14:18:52,826 [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: (re)connection attempt failed
2016-10-07 14:18:52,826 [Th 49 Req 4374 SessId R0000034d-01-57f8032c] ERROR RadiusServer.Radius - rlm_ldap: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate)
The intermediate CA and root CA of LDAP/AD server is included in the trust list of ClearPass, yet ClearPass fails to verify the certificate.
Diagnostics:
While doing a LDAP search over port 636, it was observed that ClearPass failed to establish a TLS session with LDAP/AD server with Unknown CA error
Confirmed that the intermediate and root CA of LDAP/AD server is under the trust list of the ClearPass server. The trust list of ClearPass can be viewed by navigating to Administration->Certificates->Trust list as shown below:
Solution
From 6.6 version, it is required to import the server certificate of AD/LDAP server in addition to intermediate and root CA into the trust list of ClearPass server to do an LDAP search over port 636(AD over SSL).
After importing the server certificate of AD/LDAP server into the trust list of ClearPass, ClearPass was able to establish TLS session with LDAP/AD server over port 636 for LDAP search.