Security

Is it possible to select an authentication server based on the controller used?

I have a 4 node CPPM cluster, authenticating to a primary and backup AD controller on our main campus. One of those nodes is on a remote campus, and I'd like to have it use a local AD controller rather than authenticating across the WAN.

I can create a unique authentication server, and I can create a unique service to use it based on the NAS ID, but is there a better and less manual way?

This is for eduroam, so switching from passwords to certificates is not an option.

The topic "Adding a Password Server" is what I think you are after.

https://www.arubanetworks.com/techdocs/ClearPass/6.12/PolicyManager/Content/CPPM_UserGuide/Admin/ServerConfig_editsystemtab.htm#B926210353

Is it possible to select an authentication server based on the controller used?

I have a 4 node CPPM cluster, authenticating to a primary and backup AD controller on our main campus. One of those nodes is on a remote campus, and I'd like to have it use a local AD controller rather than authenticating across the WAN.

I can create a unique authentication server, and I can create a unique service to use it based on the NAS ID, but is there a better and less manual way?

This is for eduroam, so switching from passwords to certificates is not an option.

Thanks Carson. That will take care of it for authentications.

Now if I understand correctly, the AD domain connection is only used for MSCHAPV2 logins. All the attributes are pulled using LDAP from the AD server(s) in the authentication source. I think I can do some geo-dns hacks to make that work.

Friday is funday. :)

The topic "Adding a Password Server" is what I think you are after.

https://www.arubanetworks.com/techdocs/ClearPass/6.12/PolicyManager/Content/CPPM_UserGuide/Admin/ServerConfig_editsystemtab.htm#B926210353

Is it possible to select an authentication server based on the controller used?

I have a 4 node CPPM cluster, authenticating to a primary and backup AD controller on our main campus. One of those nodes is on a remote campus, and I'd like to have it use a local AD controller rather than authenticating across the WAN.

I can create a unique authentication server, and I can create a unique service to use it based on the NAS ID, but is there a better and less manual way?

This is for eduroam, so switching from passwords to certificates is not an option.

Set your Auth Source primary target to the domain name rather than a specific DC, DNS should return a result based on the configured site.

Thanks Carson. That will take care of it for authentications.

Now if I understand correctly, the AD domain connection is only used for MSCHAPV2 logins. All the attributes are pulled using LDAP from the AD server(s) in the authentication source. I think I can do some geo-dns hacks to make that work.

Friday is funday. :)

The topic "Adding a Password Server" is what I think you are after.

https://www.arubanetworks.com/techdocs/ClearPass/6.12/PolicyManager/Content/CPPM_UserGuide/Admin/ServerConfig_editsystemtab.htm#B926210353

Is it possible to select an authentication server based on the controller used?

I have a 4 node CPPM cluster, authenticating to a primary and backup AD controller on our main campus. One of those nodes is on a remote campus, and I'd like to have it use a local AD controller rather than authenticating across the WAN.

I can create a unique authentication server, and I can create a unique service to use it based on the NAS ID, but is there a better and less manual way?

This is for eduroam, so switching from passwords to certificates is not an option.