Hi Cluck,
To fully understand and resolve this issue, I openned a TAC case and they told me that the only way this kind of authentication works is enabling "
Below is the explanation they sent me via e-mail about the authentication process.
"Hi Heraldo,
Hope you are doing good.
I apologize for delay in contacting you.
Regarding the bind issue, It has been tested in various setup and it’s also confirmed from senior engineers that the authentication for captive portal (PAP) will work only if we enable ‘Bind User: Allow bind using user password’ under Authentication source. In PAP, ‘Bind DN and Bind Password’ along with ‘Allow bind using the user password’ will be used (Authorization-explained in question 1 and binding process for PAP). For 802.1x authentication only ‘Bind DN and Bind Password’ is needed as the 802.1x MSCHAP inner process includes multiple challenge exchange between client, ClearPass and AD. In PAP (Password Authentication Protocol), there is no complex challenge exchange included and thus we need the to perform bind for PAP authentication using the user password received during authentication.
- What should I do to use the Bind DN and Bind Password to bind to the Active Directory?
Answer : Bind DN and Bind Password is the authorization process which proves that the bind account is authorized to make queries to it (in order to fetch authorization attributes of the client incase Authorization is enabled on the service). It is used for PAP as well.
The Bind DN and Bind Password includes the Active Directory user account that has privileges to search for users (usually the Administrator account). The Bind operation allows authentication information to be exchanged between the client and server to establish a new authorization state. In the Active Directory context, bind is a term that indicates authenticating to an LDAP server, which Active Directory must do before it can run any queries against the LDAP server. Active Directory must provide credentials to prove to the LDAP server that it is authorized to make queries against it.
For further queries, refer below link:
http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/3%20Active%20Directory/AD_auth_source_adding.htm#Bind
- If the bind operation only works when enable the “Allow bind using the user password", that is with the user password, what is the purpose of the Bind DN and Bind Password?
Answer : Please refer answer for Question 1
We can collect packet capture in order to better understand how the flow works with the field enabled."
I collected some packet capture that indeed confirmed the explanation above.
Hope this can help you!
Regards,