Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

We have several domains, and are looking into using Clearpass for authenticating against AD

This thread has been viewed 0 times

  • 1.  We have several domains, and are looking into using Clearpass for authenticating against AD

    Posted May 30, 2016 10:28 AM

    Hello,

     

    We have several domains, and are looking into using Clearpass for authenticating against AD with MSCHAPv2.

    As it is stated that ClearPass must be joined to the domain, would this work if there was a one way trust between the domains.

     

    Regards Peter



  • 2.  RE: We have several domains, and are looking into using Clearpass for authenticating against AD

    EMPLOYEE
    Posted May 30, 2016 10:38 AM

    You should add clearpass to all domains that you want to authenticate to.  If you have multiple SSIDs, you can use ClearPass to first check what SSID the user is authenticating to and then only check the user's credentials against the domain that corresponds with that SSID.

     

    If you have a single SSID for all users in all domains, you need the following:

     

    - All users in all domains must trust the Clearpass radius certificate

    - ClearPass must be joined to all domains correctly and be able to reach domains controllers in all domains.  This means that DNS must be able to resolve resources from all domains

    - All clients must be configured correctly to connect to that single SSID.

     

    **Consolidating multiple domains into a single SSID involves alot of work and typically you should try to maintain whatever connectivity that exists and then migrate to a single SSID later.