Security

Hello All,

 

I am in the process of deploying an Aruba ClearPass Policy Manager and the client currently does not have an Active Directory Domain they use Apple OS X Server running Open Directory for user Authentications.  I have been trying to get the binding to the Open Directory using Generic LDAP configuration for 802.1x authentications on the new Aruba wireless network I have deployed.  Now I have configured the hostname which is the FQDN of the primary Apple Server,  setup the bind DN as the UID for the diradmin and its password.

 

Now I have used an LDAP Browser and connect right away from my laptop.  The ClearPass server with the same settings cannot.  Can someone tell me what I am doing wrong?

 

If more information is needed I can supply.

Did you put in the full DN of the bind user?  For example, CN=diradmin,dc=appleldap,dc=com (fill in with the proper DN).

 

Also, you mention that you are using the FQDN of the Apple server.     Is ClearPass configured with DNS servers?  Have you tried using the IP address instead?   

 

Please provide a screen shot of the primary LDP connection details screen.

Ok so I got in touch with TAC about this.  I have the ClearPass server registered with DNS which is the actual server that is running the Open Directory also.  

 

The TAC engineer was able to get the bind to work using the IP address instead, Not sure why I didn't try this.  But it seems that they are still not communicating correctly for 802.1x authentications using EAP-MSCHAPV2, PAP, or most of the others and it seems that Open Directory 2.4 (I believe this was the version) was never tested and they have escalated this and are finding out if they can get this to work.

You might also want to try using LDAP v3.  Use ldap3:// in the bind URL (or ldap3s:// if you are using SSL).

Please make sure password attribute is exposed from Apple LDAP to perform PEAP/MSCHAPv2. Else, you might have to resort to PAP authentication.  On any failures you can collect CPPM logs and send it to support alias for analysis. 

A bit late to help the OP, but the only way to do PEAP/MSCHAPv2 authentication to Open Directory is by enabling the Apple RADIUS server on the Open Directory server and authenticating against that. OD doesn't expose passwords over LDAP.

Hi All,

 

We are trying to do a dot.1x authentication where we have added the Microsoft AD LDS (LDAP) as authentication Source. We have not added the CPPM to any of the Active Directories...

 

When we try to do a user authentication, we are getting an error MSCHAPv2 :  authentication failure

 

AD LDS will not expose the password attribute, however it will validates the password with the actual AD... (Proxy Authenticaton)

 

Can anyone help us in this ...

 

Regards

Mohammed Mukram

Did you join the CPPM to the domain

Thank you
Troy Arnold
tarnold@arubanetworks.com
Sent from my iPad

Thanks Arnold for your quick response.

 

As I said, we are using Microsoft AD LDS (Which is an LDAP Server), I have not joined the CPPM to the AD.

 

however, the customer has created has added the CPPM hostname in their domain controller...

 

I hope, i have answered your question..

 

Regards,

Mohammed Mukram

If you want to do MSCHAPv2 against an AD even if its a light weight AD then you must join the AD through CPPM.

 

** Im not an AD expert ** :)

 

But I don't believe that by just adding the hostname to the domain you will be able to authenticate against it. :smileysad:

Hi Mohammed,

Did you manage to authenticate users with clearpass on AD LDS ?

I'm not able to find any information about Clearpass compatibility with AD LDS.

Matthieu