Security

Reply
Frequent Contributor I

ClearPass AD Auth Source with lots of Read Only Domain Controllers

Hi!

We have more than 40 remote offices (construction sites in different businesses) with RODCs that don't have stable WAN connections to the central site. We want to deploy ClearPass Subscribers into these locations. The locations are very dynamic as these site are worldwide construction sites. They are completely self-sustainable and don't need to be online all the time.

 

Problem:

As it's only possible to configure AD Servers as Primary (and optional Backup) AD authentication sources it would be necessary to configure many of these sources (with the local RODC as Primary and a central DC as the Backup AD Auth Source). Configuring ClearPass Services would need many AD Auth sources or Services tailored to the remote offices. This would slow down the authentication process significally and it would be hard to administer lots of similar ClearPass services with just different AD sources.

 

Question:

What is the easiest way to configure and maintain a single AD authentication source that can be used globally?

Is there a mechanism within ClearPass to get the nearest DC (we have a Single AD Domain and maintain the AD sites and subnets) for the use as AD Authentication Source for EAP-TLS

 

Thank you for your ideas!

 

Regards

Manfred M.

 

Highlighted
Occasional Contributor I

Re: ClearPass AD Auth Source with lots of Read Only Domain Controllers

I'd be interested in this as well. We have a similar problem in that we have ClearPass servers in Brazil, Europe & Singapore with RO DC's. Currently we need to setup new auth sources and services to use the local DC's.

Highlighted
Frequent Contributor I

Re: ClearPass AD Auth Source with lots of Read Only Domain Controllers

Hi!

 

Our Solution was to change the Auth-Source to "Generic LDAP". But you must take care of the default filter statements of the Generic LDAP source which are different. We had some issues with these filter statements and changed them to the "AD source" filter statement which works now.

 

With kind regards

Manfred M.

Highlighted
New Contributor

Re: ClearPass AD Auth Source with lots of Read Only Domain Controllers


@mywegmansconnect wrote:

Hi!

 

Our Solution was to change the Auth-Source to "Generic LDAP". But you must take care of the default filter statements of the Generic LDAP source which are different. We had some issues with these filter statements and changed them to the "AD source" filter statement which works now.

 

With kind regards

Manfred M.


We have a similar problem in that we have ClearPass servers in Brazil, Europe & Singapore with RO DC's. Currently we need to setup new auth sources and services to use the local DC's.

Highlighted
Contributor I

Re: ClearPass AD Auth Source with lots of Read Only Domain Controllers

Hi Everyone,

 

Greetings!

 

I am not sure if you guys have gone though the new Active Directory site awareness feature of the ClearPass 6.8.4.

 

You can read about it in ClearPass 6.8.4 release notes.

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.8.4/Default.htm#WhatsNew/NewFeatures_PolicyMgr.htm%3FTocPath%3DWhat's%2520New%2520in%2520This%2520Release%7CNew%2520Features%2520and%2520Enhancements%2520in%2520the%25206.8.4%2520Rele...

 

Some further information on the concept of AD site: https://blogs.technet.microsoft.com/askds/2011/04/29/sites-sites-everywhere/

 

 

 

Vikram Sonawane | ACCP | @Vikram_Sonawane
Highlighted
Frequent Contributor I

Re: ClearPass AD Auth Source with lots of Read Only Domain Controllers

Hi Vikram!

 

Thank you for the helpful hint regarding CPPM 6.8.4 - this is an improvement joining the AD.

 

This will not change the different behaviour adding a server as AD source in comparison to adding a Generic LDAP Source.

 

With kind regards

Manfred M.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: