Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass 802.1x authentication with AD

This thread has been viewed 0 times

  • 1.  ClearPass 802.1x authentication with AD

    Posted Aug 03, 2015 12:06 AM

    Hi all,

     

    We're using CPPM v6.3.   I tried to configure AD as authentication source for 802.1x while the CPPM doesn't join AD domain.     Test failed with authentication failed (no matter which ever method is used, EAP-TTLS, EAP-PEAP, etc.)

     

    Found in CPPM User Guide that

    "You can join CPPM to an Active Directory (AD) domain to authenticate users and computers that are members of an Active Directory domain. Joining CPPM to an Active Directory domain creates a computer account for the CPPM node in the AD database. Users can then authenticate into the network using 802.1X and EAP methods, such as PEAPMSCHAPv2, with their own their own AD credentials."

     

    I wonder if it's a must for CPPM to join AD domain for authentication against AD.

     

    Would anyone please help?

     

    Thanks and regards



  • 2.  RE: ClearPass 802.1x authentication with AD
    Best Answer

    EMPLOYEE
    Posted Aug 03, 2015 12:16 AM
    Yes, when using any authentication method that involves MSCHAP, you must join ClearPass to the domain.


    Thanks,
    Tim


  • 3.  RE: ClearPass 802.1x authentication with AD

    Posted Aug 06, 2015 05:00 PM
    What if you're using LDAPS to query.
    The customer does not want to join CPPM to the domain as it is a security policy.
    I was told that it is not absolutely necessary to join it to the domain.


  • 4.  RE: ClearPass 802.1x authentication with AD

    EMPLOYEE
    Posted Aug 06, 2015 05:05 PM
    If you're using MS-CHAPv2, you will need to join them to the domain.


    Thanks,
    Tim


  • 5.  RE: ClearPass 802.1x authentication with AD

    Posted Aug 06, 2015 05:14 PM
    Yes we are using MS-CHAPv2.
    That's not what I was told unfortunately.

    We can query AD using LDAPS and retrieve user information, policies are all setup (basic ones for now).
    I am trying to get a better handle on CPPM as it's my first rodeo here.


  • 6.  RE: ClearPass 802.1x authentication with AD

    EMPLOYEE
    Posted Aug 06, 2015 05:39 PM
    Yes, that's correct. If joining it to the domain is am issue, then your only option for 802.1X will be EAP-TLS.


    Thanks,
    Tim


  • 7.  RE: ClearPass 802.1x authentication with AD

    Posted Aug 06, 2015 09:58 PM

    Right, it works after joining domain.  It's also mentioned in CPPM User Guide and seems we've no choice.    Same case when we tested in freeRADIUS+Samba, which is exactly the configuration used on CPPM ;-).

     

    Thanks for all of your help.

     

    Regards,

    /ST Wong



  • 8.  RE: ClearPass 802.1x authentication with AD

    Posted Aug 07, 2015 08:45 AM
    Completely understand, EAP-TLS no need for joining the domain.
    I did not configure Clearpass, Aruba did and was told it was not necessary but everything else says otherwise, (documentation, community, etc) so i am just trying to understand.
    I am going to go back and speak to the guy I am working with for this project.



  • 9.  RE: ClearPass 802.1x authentication with AD

    Posted Sep 01, 2015 08:42 AM
    Found out that because we were not using AD to authenticate the users, we were instead using LDAPS to do EAP-PEAP - MSCHAPv2, joining the domain was not necessary BUT we after further discussion, we have now joined CPPM to the domain so we can authenticate against AD....my small update