ClearPass AD Auth Source with lots of Read Only Domain Controllers
11-26-2019 05:51 AM
We have more than 40 remote offices (construction sites in different businesses) with RODCs that don't have stable WAN connections to the central site. We want to deploy ClearPass Subscribers into these locations. The locations are very dynamic as these site are worldwide construction sites. They are completely self-sustainable and don't need to be online all the time.
As it's only possible to configure AD Servers as Primary (and optional Backup) AD authentication sources it would be necessary to configure many of these sources (with the local RODC as Primary and a central DC as the Backup AD Auth Source). Configuring ClearPass Services would need many AD Auth sources or Services tailored to the remote offices. This would slow down the authentication process significally and it would be hard to administer lots of similar ClearPass services with just different AD sources.
What is the easiest way to configure and maintain a single AD authentication source that can be used globally?
Is there a mechanism within ClearPass to get the nearest DC (we have a Single AD Domain and maintain the AD sites and subnets) for the use as AD Authentication Source for EAP-TLS
Thank you for your ideas!