Security

Hello,

Today we have ClearPass working fine, and we are now requested to change the operational mode to LDAPS instead of LDAP.

So far, I can do ClearPass speak with through LDAP over SSL with no problems and the requests are being accepted and authenticated.

The thing is I have a role policy that labels the user based on the Department field from the Active Directory. When I use LDAP, it works fine and when I use LDAPS it simply ignores and the role does not work.

I'm ataching some prints on both situations.

CP2 has the role Coord_Infra. The authentication source is the same. I copied and replaces the port and security fields.

Do you see the authorization parts filled equally in the Input tab for both requests?

The screenshots show different Authorization sources (Teste LDAPS / AD Prod). Could it be that one pull the Department field as attribute where the other doesn't?

Did you import the AD LDAP certificate's root CA in the Trust List?

Herman,

Yes, I see the authorization information in both requests, including the Department field.

The Teste LDAPS is a copy of AD PROD authentication source. The only thing different is the security configuration. However I cheched both of the authentication sources, as you sugested. Print is attached.

Thanks in advance.

When you say you've tested it - how did you do this? I'm not convinced that "browsing" the LDAP from the ClearPass will use source's "Connection Security" (I feel it only uses "None" - ie port 389).

In the AccessTracker event are you seeing an Alert tab? In the see attached screenshot this indicates that there is something wrong with my LDAPS communication (LDAP over SSL). In my case it works fine when using LDAP (None)

@dmellor,

I tested copying the same service and then I changed the authorization source to a copy of my original (but using AD over SSL, port 636).

Before I get where I am at now, I had a problem close to yours, but that was because I was using port 636 with none security. Then I had the problem attached. It was solved using also AD over SSL.

You need, as well, to check if your AD is listenning 636 requests and check the windows firewall.

In my case, everything related to authentication seems to work fine, but the roles are not get. I can even browse the AD subtree from the authentication source primary tab.

Could it be that you are testing the Department field from the wrong Authorization source?

In the screenshots, you see that the Department field is different for both authorization sources. If you are still checking Authorization:Prod AD:Department, that is not filled when authorization to the other authentication source is happening. Then it should test for Authorization:Teste LDAPS:Department in role mapping or enforcement.

Herman,

That was it! I copied the hole rule and didn't give attention to that. Thanks for you help!!!