What are the best practices recommended for ClearPass - Active Directory authentication setup?

MVP
MVP
Q:

 

  • Recommended configurations for ClearPass for active directory user authentication setups


A:

 

Please find below recommended best practices for ClearPass configurations:

 

  • Backup servers for authentication source:

 

It is recommended to have one or more backup servers added in authentication source. This will help ClearPass to switch to backup server in case of primary server failure to continue performing user lookups in AD for authentication/authorization.

 

 

  • Adding “Password Servers” for EAP-PEAP authentication:

 

It is recommended to map one or more password servers for each domain ClearPass is joined to. This will ensure that ClearPass can continue performing NTLM authentication for EAP-PEAP users when primary AD (Where ClearPass is joined to) fails.

 

 

             Hostname/FQDN or IP address of AD servers are accepted in password server list.

 

  • Enable DNS Caching:

 

This would ensure less load on DNS servers as all successful DNS resolution details will be cached by ClearPass until TTL expires for that record.

           

This would greatly improve performance of AD where single AD node is being used to perform authentication as well as DNS lookups.

 

This would be more effective for EAP-PEAP/MSCHAPv2 authentication scenarios. During EAP-PEAP/MSCHAPv2 authentication process, ClearPass rely on DNS responses to locate domain controller and resources.

 

 

  • Set AD recovery Action:

 

You could navigate to Policy manager>Administration>Server Manager>Server configuration>click on server>Service Parameters>Radius server>AD Errors:

 

 

This should set to restart domain service. This setting will ensure automatic restart of domain service in ClearPass when number of errors exceeds the set value in given window size.

List of errors for which domain service would not restart automatically:

  • 0xC000006D - STATUS_LOGON_FAILURE
  • 0xC000006E - STATUS_ACCOUNT_RESTRICTION
  • 0xC000006F - STATUS_INVALID_LOGON_HOURS
  • 0xC0000071 - STATUS_PASSWORD_EXPIRED
  • 0xC0000072 - STATUS_ACCOUNT_DISABLED
  • 0xC0000064 - STATUS_NO_SUCH_USER
  • 0xC000006E - STATUS_ACCOUNT_RESTRICTION
  • 0xC000006C - STATUS_PASSWORD_RESTRICTION
  • 0xC000006A - STATUS_WRONG_PASSWORD
  • 0xC0000193 - STATUS_ACCOUNT_EXPIRED
  • 0xC000006F - STATUS_INVALID_LOGON_HOURS
  • 0xC0000234 - STATUS_ACCOUNT_LOCKED_OUT
  • 0xC0000224 - STATUS_PASSWORD_MUST_CHANGE
Version history
Revision #:
2 of 2
Last update:
2 weeks ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: