Security

Dear Community,

 

Is it any difference between the following two methods using ClearPass?Which one is recommended?

1. Create an authentication source (e.g. Active Directory) with a Backup server, and use this authentication source when we create a service.
2. Create two authentication sources with no backup servers, and use them in a service as authentication sources.

Thank you for your answer in advance.

Best regards,

 

The backup server parameter only provides a backup ldap server to look the user up to see if that user exists. If you are using 802.1x the actual server utilized is determined by which one AD directs the authentication request to. What are you trying to accomplish?

Dear Cjoseph,

 

We are not trying to accomplish anything special, just want to know which one is best. 

We just wondering if it is any difference between the two solutions.

If we have two replicated ADs, than it is the best way to create an authentication source with a backup instead of create two authentication source. Am I right?

 

 

Create a single AD source with the domain name as the server name. 


Thanks, 
Tim

If you are doing 892.1x with clearpass, there are two parts:

1. Ldap lookup to find the user
2. 802.1x authentication with AD.

For #1 you need to create your own redundancy for the ldap lookup of the user. You should enter a backup IP address specifically for that or just put the fqdn of the domain for clearpass to choose a server randomly.
For #2 the request is just sent off to any available domain controller so in a way there is built in redundancy.

I hope this makes sense.

Ok, thank you!