Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass - Query across forest

This thread has been viewed 4 times

  • 1.  ClearPass - Query across forest

    Posted Jul 07, 2014 08:44 PM

    Hi All,

     

    I am helping a customer with an implementation and we have a setup where they have a rather large forest with many domains which we want to query using CPPM for MSCHAP authentication. 

     

    Assuming the root of the tree is root.domain, we have the CPPM joined to xxx.root.domain and can lookup users but not query any from yyy.root.domain. 

     

    I have tried setting up the AD source to use the global catalog for the domain (not sure if this is right but i'm just trying different things) and this lets me see the users in yyy.root.domain but when i try authentication it fails. 

     

    Looking at the debug logs i can see that the search of the UPN in the remote domain is correct and returns a user however it then progresses to authentication but uses the sAMAccountName attribute as the authenticator (withour a domain prefix) and this fails authentication presumably because it doesn't contain the domain name of the user. 

     

    I recall in early Amigopod days there was a setting "with_ntdomain_hack" that did something to manipulate how the username was formatted. 

     

    Is this still relevant in CPPM or am i off on the wrong path. 

     

    What i'd like to achieve is AD authentication across the whole forest using MSCHAP without having to join the root / parent domain (we can't do this for political reasons as the root domain comes under the admin of another area who aren't flexible).

     

    Our service account in the xxx.root.domain is apparently allowed to query all domains (we can browse the yyy.root.domain  using clearpass) and we are able to join the subdomain no problems. 

     

    I'm feeling that the answer may simply be to join the root domain however my AD knowledge isn't what i'd like it to be...

     

    Scott



  • 2.  RE: ClearPass - Query across forest

    Posted Jul 08, 2014 09:11 AM
    Have you tried adding the other domains as password servers under the Server Configuration ?


  • 3.  RE: ClearPass - Query across forest
    Best Answer

    EMPLOYEE
    Posted Jul 08, 2014 09:18 AM

    Under the ClearPass "help":

     

    "There is no need to join CPPM to multiple domains belonging to the same AD forest because a one-way trust relationship exists between these domains. In this case, you join CPPM to the root domain." ---  That is the anwer.

     

     



  • 4.  RE: ClearPass - Query across forest

    Posted Jul 08, 2014 12:22 PM

    From what I have seen and TAC conformed, Colin is correct with a caveat.  You only need to join CPPM to the root domain, but you must create an authentication source (type of Active Directory) for each of the sub-domains.



  • 5.  RE: ClearPass - Query across forest

    Posted Jul 08, 2014 07:42 PM

    Thanks everyone for the responses, i think i'm going to have to start using the CPPM help pages more as it seems there is a lot of good info there!

     

    I'll try joining to the root domain and see how that goes.

     

    Victor,

     

    I have seen the option for the password servers but isn't that just to force auth against a specific server within that domain?

     

    Scott



  • 6.  RE: ClearPass - Query across forest

    Posted Jul 10, 2014 03:07 AM

    For the benefit of anybody else trying to do this. There is a very very good summary and workaround documented here:

     

    https://afp.arubanetworks.com/afp/index.php/Active_Directory

     

     

    This is listed as partner only content so i don't want to paste here in case that violates any rules. Any aruba people who could advise otherwise may be able to paste content?

     

    Scott