Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

LDAP/AD Server Unreachable from CPPM support fail open?

This thread has been viewed 7 times

  • 1.  LDAP/AD Server Unreachable from CPPM support fail open?

    Posted May 21, 2015 11:59 AM

    Hi Aruba expert,

     

    We have a scenario where the CPPM is deployed in the remote site and all authentication source such as AD/LDAP Server is in the Data Center site.

     

    what if CPPM was unable to connect to  LDAP or AD Server due to WAN LINK failure will clearpass be able to trigger fail open that will instruct the switch to trigger critical vlan incase of LDAP/AD Server unreachable from the CPPM?

     

    Thanks

     



  • 2.  RE: LDAP/AD Server Unreachable from CPPM support fail open?

    EMPLOYEE
    Posted May 21, 2015 12:05 PM

    Whether there is a "fail open" situation is more dependent on the NAS device that authenticates to CPPM.  CPPM itself does not have a "fail open" option for authentication.



  • 3.  RE: LDAP/AD Server Unreachable from CPPM support fail open?

    EMPLOYEE
    Posted May 21, 2015 12:22 PM

    Also, keep in mind that most of our products support auth survivability in the latest versions. Check the release notes and user guides.

     

    More importantly, I would question why you are placing a ClearPass server at a site and not an additional AD server? The fact that you need ClearPass there tells me that you either expect this link to go down or the link has high latency. If it is the latter, you will need an AD server there as well as ClearPass, otherwise RADIUS authentications will time out while we wait for a response from AD. This is not a fault of our products but is based on how Apple and Microsoft implement the 802.1x supplicant. There is a time limit upon which no response will cause a new 802.1x auth attempt.

     

    A safe number is 100ms or less latency.



  • 4.  RE: LDAP/AD Server Unreachable from CPPM support fail open?

    Posted May 21, 2015 02:31 PM

    Hi cjoseph/zjennings

     

    Thanks in advance. I understand the fail-open is dependent to NAS device and for what I understand in Authentication Survivability, if CPPM is not available which means NAS unable to reach clearpass the user can still authenticate to the NAS device via eap-peap which is good for wireless deployment with CPPM.

     

    My question if CPPM was located in remote sites and authentication source is coming from the WAN link and doesn’t have a backup Active directory server in the remote site. Worst case scenario there is a WAN link failure. This means the NAS device still able to communicate to the CPPM but CPPM has lost its connection to the AD Server. can clearpass some how tell to the switch to trigger the fail-open/critical vlan even there is a reachability between CPPM and the NAS device?

     

     



  • 5.  RE: LDAP/AD Server Unreachable from CPPM support fail open?
    Best Answer

    EMPLOYEE
    Posted May 21, 2015 04:43 PM
    No, that is not possible. Failure to authenticated (even due to AD being down) will send a RADIUS Reject.

    However, you could OnBoard the devices and disable Authorization in the EAP-TLS method. This would allow those devices to continue authenticating without AD.

    Or offer a PSK SSID with MAC auth for times when the WAN link goes down. We could use a custom SQL query to determine if the device successfully authenticated to the 802.1x SSID in the past X hours.

    Just a thought.


  • 6.  RE: LDAP/AD Server Unreachable from CPPM support fail open?

    Posted May 26, 2015 08:25 AM

    well noted. thanks