Security

I'm running into an odd issue. I currently have a single SSID set up that authenticates against 2 different 802.1x sources, and using a rule will assign a different VLAN based on which auth source. This works perfectly. But to do this I had to terminate at the controller. The problem here is that for some reason if I use a separate SSID to onboard devices, and then try to set it up so that they're onboarded to the SSID that is terminated at the controller, it fails to join the network. If i uncheck "termination" on the 802.1x profile, it works perfectly. The second I check that box, it fails to join. I'm assuming this is something to do with the certificate being valid for the clearpass server, but not the controller? I'm out of my element when it gets to certificate stuff.

So is your goal to have a single SSID or dual SSID onboard scenario?

Dual. I have one specifically for onboarding which is a classic onboarding SSID, then a second that the configuration profile is configured to join after provisioned.

The other way I can try to go about it is to add the other radius server as a Radius Proxy service to Clearpass, and then use enforcement rules to assign a VLAN. The problem I'm running into there is that I can't seem to get it to attempt a secondary type of authentication service if it rejects the first one. So depending if i set the Clearpass Service or the RADIUS Proxy service first, it will only attempt to auth there first, and if it gets a reject it won't attempt to auth against the next service in the list.

You might want to:

1.  Add ClearPass to both domains

2.  In your service to authenticate 802.1x devices, make sure both domains show up under "authentication sources"

3.  Uncheck termination on the controller, so that the server certificate on ClearPass is what all devices see and trust.

4.  ClearPass should look for an account for an incoming authentication request in the first authentication source, and if it does not exist, move to the second.

5.  You could use the role mapping "if Authentication Source = AD1" then set a role of AD1.  Same thing if it is AD2

6  Later in the Enforcement Policy, you can say if Role=AD1, then send back X enforcement profile with one attribute.  You can also say, if Role=AD2, then send back Y enforcement policy with a different Radius attribute to differentiate between devices that authenticated with each.

This is all assuming that ClearPass has a public certificate that both sets of clients trust, and can be used to onboard both.

Yeah the problem with that solution is the ability to add CPPM to both domains. Presently due to the control of the DC in the other organization I currently only have the ability to add CPPM as a trusted Radius client, hence the reason for setting up a radius proxy service. It'd be extremely simple if i could just join CPPM into the domain and add it as a second authentication source.

I am not confident that there is a way to do it in another way.  Using Radius Proxy, you lose a great deal of flexibility as well as attributes to  make decisions on.  If you are using radius proxy, you cannot check to see if the AD account in the certificate is still active.  You would basically just be distributing certificates but you would not be able to tie them to an AD account in any way.

You probably have to have a heart-to-heart talk with the admin of that domain so this can be done properly.

What were their concerns about joining it to the domain? Maybe we can help.

Ok they were able to give me a service account with access to the DC. I added this as an authentication source with the correct lookup. However now when I add it as one of the authentication sources to my Service, when i check the Access Tracker it doesn't attempt to auth against that source, it just shows up as blank in the authentication sources. Do I have to join ClearPass to the domain under Server configuration in server manager? If so I'm running into an issue there as well. 

I had the server guys here add the IP address of the domain controller on the other network to their local DNS, but when I join using the local DNS record name, it fails with the following message:

What concerns me is the existence of 2 discrete domains, and I'm attempting to use the DNS of one domain, to connect to the DC of another domain.

1.  Yes you do need to join the domain separately in server manager, yes.

2.  You will then be able to add it as an AD authentication source, and then you will need to point to the ip address of a DC and have a read-only user in LDAP to search for user accounts.

3.  Once you do those two things, you can add the AD authentication source to the list of sources in the service.

You would need to point Clearpass at a DNS server that can resolve hosts in both domains for this to work properly, yes.  They have to set up their DNS server properly so that it can refer requests for one domain to another on the same DNS server.