Security

Reply
Highlighted
Trusted Contributor I

Re: Many authentication sources

In that case, how does ClearPass know that the credentials in the RADIUS response need to be authenticated by an AD server?  My ClearPass servers are joined to the domain, is that how?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Highlighted
Guru Elite

Re: Many authentication sources

When you add an AD server as an Authentication Source, that is what it authenticates to.

When you create an AD server it uses the domain joined to do 802.1x


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Aruba Employee

Re: Many authentication sources

That was a confusing statement.....

 

When you add a authentication source profile in a AD environment, It uses that for only LDAP; ie Username lookup, attribute lookup.

 

When you join CPPM to 'a' domain; It uses the domain configuration for authentication; The settings in the authentication source profile is not what is used for the actual handling of Authentication. For that we rely on winbind to fetch the domain configuration (domain name, netbios name, and trusted domain);

We then use DNS to resolve the local ad server and set that as the password server.

The settings in the authentication profile do not over ride this.

 

This is why when you configure an authentication source with out joining to AD you get error messages about mschapv2 responces being incorrect. 

 

The only way to over ride this is to use the password server configuration in the SMB_<domain>.conf; which we didn't expose to end users until 6.1.1 with the password server CLI configuration command. 

This is the ONLY way to override the settings we got from the domain lookups during the initial joining of CPPM to the domain. 

 

Hope this clarifies a bit. 

Highlighted
Trusted Contributor I

Re: Many authentication sources

Yes, thank you very much for your clarification on this topic. Glad to finally have an understanding of this.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: