Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass multiple AD authentication sources EAP-PEAP

This thread has been viewed 16 times

  • 1.  Clearpass multiple AD authentication sources EAP-PEAP

    Posted Jan 04, 2017 08:01 AM

    Hi,

     

    Can someone confirm to me whether it is possible to have 2 AD authentication sources, to 2 different ADs with only one ad join in place. (needs to have a secure connection to both auth sources).  

     

    Bearing in mind we're using EAP-TLS within EAP-PEAP.

     

    Hope that makes sense.

     

     

    Thanks

     



  • 2.  RE: Clearpass multiple AD authentication sources EAP-PEAP

    EMPLOYEE
    Posted Jan 04, 2017 08:08 AM

    It is not clear:

     

    You are trying to join two AD sources but your are using EAP-TLS, which is certificate based.  Please explain...

     

    If you are trying to use two AD sources from two different AD domains, you need to join both domains....  Again, you are mentioning EAP-TLS...where does that come in?

     

    What are you trying to do?



  • 3.  RE: Clearpass multiple AD authentication sources EAP-PEAP

    EMPLOYEE
    Posted Jan 04, 2017 08:15 AM
    Are the domains in the same forest?
    Is there a trust between the domains?

    Keep in mind that the AD "Authentication Source" is only used for authorization properties with PEAPv0/EAP-MSCHAPV2. The password check is done directly to DCs based on DNS queries or statically configured password servers.


  • 4.  RE: Clearpass multiple AD authentication sources EAP-PEAP

    Posted Jan 04, 2017 09:00 AM

    Let’s try again:

     

    So we currently have Clearpass joined to AD1, for client authentication we are using EAP-PEAP as our outer method and EAP-TLS for the inner. And authorizing to AD1. This work fine.

     

    We need to introduce AD2, so we can authenticate separately managed devices and users. The issue is we don’t want to add clearpass to this domain. Can this be achieved?

     

    A 1 way trust is in place between the ADs.



  • 5.  RE: Clearpass multiple AD authentication sources EAP-PEAP
    Best Answer

    EMPLOYEE
    Posted Jan 04, 2017 09:04 AM
    If there is a trust, yes, you can authenticate users from the other domain.



    One thing to keep in mind is you'll want users to be authenticating with
    their UPN. Otherwise you'll run into issues if a user has the same username
    in both domains.


  • 6.  RE: Clearpass multiple AD authentication sources EAP-PEAP

    Posted Jan 04, 2017 09:06 AM

    Thanks!

     

    Does it matter what way the trust needs to be?

     

     



  • 7.  RE: Clearpass multiple AD authentication sources EAP-PEAP

    EMPLOYEE
    Posted Jan 04, 2017 09:22 AM
    It greatly varies on the domain/forest structure. Please take a look here:



    https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx


  • 8.  RE: Clearpass multiple AD authentication sources EAP-PEAP

    Posted Dec 14, 2022 07:36 AM
    Hello,

    Regarding back this question, we are now using one AD (named AD1) and we want to introduce now a second one (AD2) BUT we want to add this AD2 as a new Active Directory source of authentication for Clearpass, so we will have two independent sources (AD1 and AD2).
    Is it possible??
    we are using EAP-PEAP and MSCHAPv2 as wifi authentication protocols, so we need to add Clearpass as machine inside the AD1 and AD2.

    Thank you
    Original Message


  • 9.  RE: Clearpass multiple AD authentication sources EAP-PEAP

    EMPLOYEE
    Posted Dec 14, 2022 09:35 AM
    You responded to a very old discussion. Please open a new discussion, and include the information if your AD1 and AD2 are two different domains with different users, or if these are domain controllers for the same domain. Please be advised that you should not use EAP-PEAP/MSCHAPv2.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message