Security

Hi,
I hope you can help me, I have been working in an 802.1X scenario with ethernet and wireless users, I have configured the Clearpass as my origin and authorization of authentications in Clearpass in conjunction with the Active Directory, I have Clearpass in the Active Directory correctly, but not I can access by name as if it were not completely in the domain, I also check the computer on the domain server and I see that it is linked but I do not see the DNS (tnetlab.local) that is the DNS on the server, it appears ( .localdomain), and in fact by SSh in Clearpass it appears to me that if it is "Online" in the domain, but I can not access Clearpass by name; Annex evidence of my configuration.
I hope you can help me.
Thank you.

Hi David,

Maybe you can troubleshooting in the NAD device.

For example in comware 5 switches (like HPE 5500 series), when you are config the scheme (radius server) you can specify "user-name-format without-domain".

 

radius scheme CPPM
primary authentication {CPPM_ipaddr} key cipher (/&%$#"#$%&/&%$#"
primary accounting {CPPM_ipaddr} key cipher (/&%$#"#$%&/(/&%$#$%
accounting-on enable
user-name-format without-domain

domain CPPM-domain
authentication lan-access radius-scheme CPPM local
authorization lan-access radius-scheme CPPM local
accounting lan-access radius-scheme CPPM local
access-limit disable
state active
idle-cut disable
self-service-url disable

Good luck!

Hi Nicolás
Thanks for answering first of all.
I have Switch's Aruba 2930M, my configuration in the NAD is the following:

hostname "Switch1-Stack1"
trunk 1 / A1,5 / A1 trk1 lacp
radius-server host 172.16.101.7 key "*******"
radius-server host 172.16.101.7 dyn-authorization
radius-server host 172.16.101.7 time-window plus-or-minus-time-window
radius-server host 172.16.101.7 time-window 0
radius-server cppm identity "DUR-S2-Gdl"
timesync ntp
unicast ntp
ntp server 120.23.2.8 iburst
ntp enable
ip default-gateway 172.16.100.254
ip client-tracker trusted
snmp-server community "public" unrestricted
aaa server-group radius "CLEARPASS" host 172.16.101.7
aaa accounting update periodic 5
aaa accounting network start-stop radius server-group "CLEARPASS"
aaa authorization commands radius
aaa authorization user-role enable download
aaa authentication port-access eap-radius server-group "CLEARPASS"
aaa authentication mac-based chap-radius server-group "CLEARPASS"
aaa authentication captive-portal enable

I hope you can support me.
Thank you.

I don’t understand what your question / problem is. What do you mean with “I can not access Clearpass by name”?

Thanks for answering
Apparently Clearpass if it is correctly in the Domino since I manage to join it to the domain by the GUI and by SSH shows me "Online", but in the Domain server I see the "computer" with the name correctly but the DNS can not be the one that is "tnetlab.local" gives me another ".localdomain", and therefore I can not access Clearpass by its name in the domain, only by IP.
I hope you have given me to understand; I add an image.
Thank you.

 

 

 

Okey. Please check the server name in the server configuration section. I think the name in the server configuration includes the localdomain suffix. Remove the computer object from the domain and rejoin to make sure the entry is correct. You could also add the DNS entry manually to the DNS zone off course

Thanks for answering.
1.-I was already checking the configuration and the server name is correctly; I have other computers in the domain and if the DNS is sent correctly "tnetlab.local";
2.- Sorry for the ignorance, how can you manually configure the DNS ?.
I hope you can support me, thanks.
Thank you

I’m not sure why the local domain is in the DNS suffix. I think localdomain is the default dns suffix Clearpass is using. So maybe this is old data.

To create a DNS records manually go to the DNS zone manager at your Windows?? DNS server and create the A record manually