Security

Dear All,

in our customer, we have 1 clearpass publisher and 1 clearpass subscriper as standby publisher,

and we have 3 Active Directory as authentication source because we have 3 different user business group, GGF-AD, SQL-AD, and GSK-AD,

with GGF-AD and SQL-AD trust domain to GSK-AD,

and we facing issue now is, if GGF-AD down, all of user SQL-AD and GSK-AD couldnt connect to network, even device IOT with service mac auth to clearpass also couldnt connect to network,

we already test to reproduce issue with clearpass lab with exact configuration as clearpass production, we try to disconnect whole network from clearpass lab to GGF-AD and we try also to block only service port AD, but the issue didnt reproduced, 

we notice in event viewer clearpass clearpass production pop up below :

but in clearpass lab after we block the communication, it didnt shows up,

any advice anyone ?

thanks a lot 

i'm already configure join domain as link https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/What-is-the-best-way-to-authenticate-users-via-multiple-domains/ta-p/181644 , 

we already test with join domain to multiple domain, or just single domain as trusted forest for all domain,

I expect this issue will be triggered because of some timeouts. Which version are you running? In one of the latest version there was some enhancements around LDAP server timeouts. if a LDAP server is not responding ClearPass will mark the server as down so it will not used for authentication.

Are the three domains placed in one forest? If yes, you can simply the configuration by just querying the Global Catalog servers by a different LDAP port. Port 3268 or 3269 (SSL). By querying the GC's you have used one authentication source.

dear Wilem,

our clearpass is 6.7.9 version,

user said, those 3 AD is different domain, but trust forest to 1 AD,