Aruba Apps

last person joined: 3 days ago 

The HPE Aruba Networking Apps board is designed to address questions, comments, and feature requests for all HPE Aruba Networking mobile Apps
Back to discussions
Expand all | Collapse all

Does CLearPass run with two different directory systems?

This thread has been viewed 2 times

  • 1.  Does CLearPass run with two different directory systems?

    Posted Apr 03, 2019 01:54 AM

    One of our customers wants to migrate from his LINUX LDAP directory system to Microsoft AD directory server.

    Question: Is it possible to connect both the LDAP directory server and the new Microsoft AD server with ClearPass, and then gradually migrate the ClearPass rules from the LINUX LDAP server to the Microsoft AD server?

    Has anyone done such a migration already?

     

    Thanks for any input in advanced.



  • 2.  RE: Does CLearPass run with two different directory systems?

    EMPLOYEE
    Posted Apr 03, 2019 07:59 PM

    Hello,

     

    Yes, clearpass can run two different authentication sources. Assuming you are doing EAP Mschap v2 authentications, Makesure, Clearpass is joined to the AD domain. In the service, where you have LDAP authentication is running correctly, you can map the AD as primary authentication source and LDAP as secondary. If the Clearpass cannot find the user in the AD, it will fall back to LDAP for authentication.  

     

    hope this helps.

     

    --

     



  • 3.  RE: Does CLearPass run with two different directory systems?

    Posted Apr 05, 2019 01:37 AM

    Hello Mohammed,

     

    thanks for your answer. One question that I still have is where can I set which directory service is primary and which should be secondary?

    Is this depending on the position from the service?

     

    Many thanks



  • 4.  RE: Does CLearPass run with two different directory systems?

    EMPLOYEE
    Posted Apr 05, 2019 07:14 AM
    How are your clients configured for authentication now? That will determine your path moving forward.


  • 5.  RE: Does CLearPass run with two different directory systems?

    Posted Apr 05, 2019 07:50 AM

    EAP-TLS



  • 6.  RE: Does CLearPass run with two different directory systems?

    EMPLOYEE
    Posted Apr 05, 2019 07:57 AM
    EAP-TLS does not use username and password. Directory services would only come into play to check if the account in the certificate is still valid, really.


  • 7.  RE: Does CLearPass run with two different directory systems?

    Posted Apr 05, 2019 09:01 AM

    In this network we have only one "Corporate SSID". If you connect to the Corporate SSID you will be forwarded to the Captive Portal and then you go thru a self registration process. If you are, an Employees, Student, IT-Staff (we have EAP-TLS so also a certificate will be installed on your device). and can connect to the WLAN/LAN. If you are a visitor you are ask to type in the contact person e-mail address to by connected. For Employee, Students and the IT-Staff OU=Groups existing in the LDAP server. So when the type of user for CP is clear, CP will set the relevat roles to the user and give them access.



  • 8.  RE: Does CLearPass run with two different directory systems?

    EMPLOYEE
    Posted Apr 05, 2019 04:12 PM

    Are you using onboard?



  • 9.  RE: Does CLearPass run with two different directory systems?

    Posted Apr 06, 2019 05:08 AM

    Yes



  • 10.  RE: Does CLearPass run with two different directory systems?

    EMPLOYEE
    Posted Apr 06, 2019 08:27 AM

    You would just have to have ClearPass authenticate to the new Active Directory, if you switch over, to onboard your users.

     

    I will let others weigh on on the migration strategy here.