Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Need Help in CCPM packet fow

This thread has been viewed 0 times

  • 1.  Need Help in CCPM packet fow

    Posted Mar 27, 2019 06:23 AM

     one of the client setup there is one AD root server(GA) and 32 child domain.all child domain is having multiple Active directory and all works in active-active, this child domain is also configure as a GLobal catalg server and its also serving the client. All the child domain GC are synchronised with root Global catalog and root is having information of all the 32 child domain object. We have configure Root Server in Clearpass for AD authentication.
    If one child domain is down then all the users related to that child domain is not able to autheticate. The object is there in root but the related child domain is down.

    I need the info that how the Authentication flow happen in clearpass with root? Is the authentication packet from CPPM also Querying child domain as well.
     If any one have CPPM to AD communication authetication flow document please share
     For single forest and for multiple forest as well



  • 2.  RE: Need Help in CCPM packet fow

    EMPLOYEE
    Posted Apr 01, 2019 07:48 PM
    Hi,
     
    The first part of the authentication is an LDAP request to get the user's group membership.  The LDAP request always goes to the DC FQDN/IP address configured in the auth source.  If the object isn't found in that domain controller, it will go to the backup DC in the current auth source or will go to the next auth source in the service (if you have one).
     
    After the LDAP request retrieves group membership, the next step in PEAP-MSCHAPv2 authentication is the NTLM auth.  Winbind and Samba are the two packages that perform this part of the authentication.  Samba is the one that retrieves the domain controllers from DNS SRV records and decides which domain controller to perform the authentication against.  The DC that the NTLM auth is performed against does NOT have to be the same DC used in the LDAP request and hence, not necessarily the FQDN you have defined in the authentication source. 
     
    Regards,
    James