Security

Hi,

I am trying to configure an AD authentication source to use the bind DN, but even with a valid user and password (I can search base DN, the user is not disabled or have any restrictions) I am getting the following error:

The service that uses the authentication source has PAP, CHAP and MSCHAP as authentication methods. I also tried the FQDN and user@domain format for the Bind DN, both ending with same error.

If I enable Bind User by selecting Allow bind using user password , the authentication works, but I want to use a specific user to bind to the AD. I am running ClearPass 6.6.4.

Anyone has seen this before?

Thanks,

Hi Cappalli,

The access tracker record shows the authentication method as "-". That is nothing. When I enable Bind User and it works, authentication method is PAP.

Thanks for the reply.

Hi Cappalli,

Captive Portal.

Was there a resolution to this issue?  

Hi Cluck,

To fully understand and resolve this issue, I openned a TAC case and they told me that the only way this kind of authentication works is enabling "

Below is the explanation they sent me via e-mail about the authentication process.

"Hi Heraldo,

Hope you are doing good.

I apologize for delay in contacting you.

Regarding the bind issue, It has been tested in various setup and it’s also confirmed from senior engineers that the authentication for captive portal (PAP) will work only if we enable ‘Bind User: Allow bind using user password’ under Authentication source. In PAP, ‘Bind DN and Bind Password’ along with ‘Allow bind using the user password’ will be used (Authorization-explained in question 1 and binding process for PAP). For 802.1x authentication only  ‘Bind DN and Bind Password’ is needed as the 802.1x MSCHAP inner process includes multiple challenge exchange between client, ClearPass and AD. In PAP (Password Authentication Protocol), there is no complex challenge exchange included and thus we need the to perform bind for PAP authentication using the user password received during authentication.

1. What should I do to use the Bind DN and Bind Password to bind to the Active Directory?

Answer : Bind DN and Bind Password is the authorization process which proves that the bind account is authorized to make queries to it (in order to fetch authorization attributes of the client incase Authorization is enabled on the service). It is used for PAP as well.

The Bind DN and Bind Password includes the Active Directory user account that has privileges to search for users (usually the Administrator account). The Bind operation allows authentication information to be exchanged between the client and server to establish a new authorization state. In the Active Directory context, bind is a term that indicates authenticating to an LDAP server, which Active Directory must do before it can run any queries against the LDAP server. Active Directory must provide credentials to prove to the LDAP server that it is authorized to make queries against it.

For further queries, refer below link:

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/3%20Active%20Directory/AD_auth_source_adding.htm#Bind

1. If the bind operation only works when enable the “Allow bind using the user password", that is with the user password, what is the purpose of the Bind DN and Bind Password?

Answer : Please refer answer for Question 1

We can collect packet capture in order to better understand how the flow works with the field enabled."

I collected some packet capture that indeed confirmed the explanation above.

Hope this can help you!

Regards,