Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Recommended authentication source (AD or LDAP)

This thread has been viewed 1 times

  • 1.  Recommended authentication source (AD or LDAP)

    Posted Feb 15, 2017 05:55 PM

    Hi

     

    We are currently working on a project to replace a legacy Cisco ACS solution with a Clearpass solution for our corporate wireless authentication. Currently our security leaves a little to be desired and as such we want to address this with the Clearpass solution. Our current Cisco ACS solution makes use of an LDAP repository (it queries a global catalogue sever) for user/device attributes.

     

    Our plan is to have a global cluster of CPPM appliances, with two in three regions of the world, so six in total. Each region is served by a different domain with a trust established between them all. 

     

    With the above in mind, I was wondering what is the recommended approach for the authentication source, is it 1) join each of the CPPM appliances to its respective domain or 2) continue with an LDAP GC repository. Our AD guys are suggesting the latter of the two, but documentation and other posts in the communities suggest option 1.

     

    Also, what benefit do I gain from using one over the other?

     

    Thanks

     

     



  • 2.  RE: Recommended authentication source (AD or LDAP)

    EMPLOYEE
    Posted Feb 15, 2017 06:01 PM
    The best practice from a security standpoint would be using EAP-TLS and only leveraging AD or LDAP for authorization.

    If that's not feasible and you need to stay with the legacy authentication methods (PEAPv0/EAP-MSCHAPv2 or EAP-TTLS), the answer varies. When you say LDAP, is this a separate identity store from your Active Directory?


  • 3.  RE: Recommended authentication source (AD or LDAP)

    EMPLOYEE
    Posted Feb 15, 2017 06:01 PM
    The best practice from a security standpoint would be using EAP-TLS and only leveraging AD or LDAP for authorization.

    If that's not feasible and you need to stay with the legacy authentication methods (PEAPv0/EAP-MSCHAPv2 or EAP-TTLS), the answer varies. When you say LDAP, is this a separate identity store from your Active Directory?


  • 4.  RE: Recommended authentication source (AD or LDAP)

    Posted Feb 15, 2017 06:06 PM

    Hi Tim,

     

    Apologies, we are using EAP-TLS. It was the authorisation I was referring to, my bad.

     

    The LDAP (in Cisco ACS) that I refer to is actually a reference to a global catalogue server that has a view of all objects in the forest (made up of the three domains).

     

    I was trying to understand the benefit of moving away from this, and joining the CPPMs to the domain as opposed to just continuing with the LDAP lookup. Our AD guys are suggesting this is more efficient than performing an AD lookup for objects/attributes.



  • 5.  RE: Recommended authentication source (AD or LDAP)
    Best Answer

    EMPLOYEE
    Posted Feb 15, 2017 06:20 PM
    Domain join is only required when using MSCHAP-based EAP methods. Since you're already using EAP-TLS, you're just doing LDAP binds to AD to pull in account info.


  • 6.  RE: Recommended authentication source (AD or LDAP)

    EMPLOYEE
    Posted Feb 15, 2017 06:20 PM
    Domain join is only required when using MSCHAP-based EAP methods. Since you're already using EAP-TLS, you're just doing LDAP binds to AD to pull in account info.