Security

Hi community, I hope you are well.
I have a problem since my users of Red 802.1X when adding in the authentication method "AD over SSL" gives me an error when trying to enter the folder tree of the Active Directory, but when I do it without security (none / 389 ) if you let me browse the folders with the AD account; if you authenticate users taking Active Directory into account as the origin and authorization of the authentications when I do not enable "validate with server" in the configuration of the NIC ethernet, but when I enabled it and put the FQDN or Clearpass IP it does not gives an error and the user can not connect. If I have Root CA certificate in the "Trust List".
Do you know what it could be? Can it be something in the Domain Server configuration?

-Clearpass 6.7
-Switch's Aruba 2930M using downloadable roles
-Clearpass in Domain with administrator account
-Root CA Windows Server 2016 with only the role of "authority certificate".
-The Active Directory server does not have Root Role CA, is it ok or should it have mandatory ?.

These tests had already worked for me in a test lab environment and I am oriented to the production environment.

I attach some evidence and I hope you can support me.

Did you import the Issuing CA certificate for the Domain controller into Clearpass trust list? If not that needs to happen. 

Hi jpearcy00, I hope you are well and thank you for answering.

If I have my Root CA installed on a Windows Server 2016 but it is not the Active Directory Domain Server.
The Root CA certificate if I have it loaded in the "Trust list" of Clearpass and I also have it as my "Root CA" in Radius Certificate.

The error I do not know if it is because the Root Role CA does not have the domain server or if it does not affect that it does not.

Thank you.

The error message indicates: unknown_ca, which means that the certificate presented by your domain controller is not signed by a trusted root CA.

Are you sure that the domain controller has received the proper server certificate from your CA? And that you configured the domain controller to use that certificate for LDAPS?

I have only setup the ADCS CA on the domain controller in the past and don't remember any additional steps to use the enterprise server certificate. If you have openssl, you can find out what certificate is being set:

openssl s_client -connect dc01.example.com:636

You will probably see that the certificate is not issued/signed by your ADCS.

Hi Herman, thank you very much for answering and I hope you are well.

I have already carried out the import of the RootCA certificate from my other CA Server to the Domain Controller server and it was imported into the "Trusted root certification authority" location and still does not give me the access by port 636 AD over SSL.

1.- How can I configure the domain controller to use the Root CA certificate of the other server for LDAPS?

I'm enrolling Clearpass with the production servers but have the insecurity that if I add the RootCA "Role" in the Domain Controller something happens or affects other services, but nothing bad should happen with the operation of the other services executing in The Domain Controller.

Or stop complications and install the Domain Controller as Root CA with the "Role Certificate Authority"

I hope you can support me, thank you very much.
Greetings.

I'm not a Microsoft CA expert. If I Google for 'Active Directory import ldaps certificate', few sites pop up, I just can't judge if that breaks things in your production environment.

I think the first step would be to find what certificate is actually be used, as I see only few responses on Google on this topic which suggests it should work automatically in most cases. Then I would test this in a lab first before deploying in production; or request external support to do this change.

Stupid question, but have you (left) enabled your RootCA in the ClearPass Trust list? It has to be enabled (which is done by default on import). 

Hi Herman, again, thank you very much for answering.

I did tests in an isolated environment of tests in a laboratory and everything worked correctly with a Server like Domain controller and CA in the same server, so if all my tests worked for me; The point in the production scenario is that the Domain Controller has been having problems for all the Roles that already exist and the client does not want to add another point of failure or something to fail when installing it in the Domain Controller.
I already made the import of the certificate in the "Trust list" of Clearpass and in the Domain Controller I have already made the import of the same certificate in the folder of the certificates: trusted root certification entities and Personal, but I still give the same error because when trying to search the domain controller tree with AD over SSL security I get the error that there is no communication.
I will try with the Openssl command to identify who is using that port or what certificate it is. I can run it from any pc in the domain, right? or does it have to be specifically in the Domain Controller?

- According to what I have found on the internet, they indicate that I should only import the certificate in the Domain Controller, but it has not worked for me.
-I understand that the best and easiest practice is to do CA to the Domain Controller since at the moment it did not let me put it as "Entreprise" and I had to put it as "Standalone" in the installation process since it is not the Domain Controller, and to have been the Domain Controller if the "Enterprise" option had appeared in the installation process.
-In Standalone mode the CA at the time of uploading to http: // ip-server-ca / certsrv here I charge the CSR request of Clearpasss but it does not give me the option to select "Web Server" template since that also I lose it to the not being the Domain Controller for what I understand and being "Standalone" does not appear the "Template" and I can not give that Template to the Clearpass CSR, so I think that may also affect.

I appreciate your time, Herman.

Thank you.
Greetings.