Configuring or reconfiguring Aruba ClearPass to use LDAPS instead of LDAP
As you can read LDAPS is the way we are going to set up LDAP connections in the future.
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
This blog will focus on (re)configuring Aruba ClearPass to use LDAPS instead of LDAP.
Aruba Networks’ wireless controllers are also able to use LDAP and could theoretically also be impacted. However, there is no install base where Aruba controllers use LDAP directly, and it is also not recommended to use this option. Therefore, this will not be covered in this document.
How to LDAP in an existing Aruba ClearPass environment
When handling an existing ClearPass, it is best to first test the LDAPS independently of the currently used LDAP connections. In this way, no impact is created should there be a communication error between AD/LDAP and ClearPass.
- Check the current LDAP configuration. For this go to Authentication > Sources
- Locate the AD / LDAP connection currently in use (look for “Type”: “Active Directory”)
- Check if the existing connections are in fact not yet using LDAPS. Open the sources 1 by 1 and check the following:
If the Connection Security is set to “None”, then you need to take corrective actions (continue with next step).
If the Connection Security is set to AD over SSL (also reflected on Port 636), then no action is required.
- Clone the existing profile, check the profile, and choose “Copy”. A new profile will appear.
- Click on the new profile and change the “Connection Security” to “AD over SSL”. Also, consider changing the name to a more meaningful one.
- Test the connection via the “Search Base DN”. If you get a popup and you can browse the LDAP, then the connection is fine (click close, WARNING: don’t click on save as this might change the base DN)
- Should the connection give an error, then either there is an issue with the certificate or with the communication between AD and ClearPass. Normally the root CA certificate should already be in the trusted list (as this is an existing installation), but you can always check and, if necessary, import the new CA. Go to Administration > Certificates > Trust List. Look for the AD CA certificate and make sure that it is Valid and Enabled. For communication errors, you should check the FW. Also, make sure that the AD allows LDAPS.
- Now that the connection has been modified you have 2 options:
- Change the original authentication source, so that it also uses LDAPS (go to bullet point 9, quick and preferred method)
- Modify all services that reference the old authentication source (go to bullet point 11, phased longer method, extra caution required)
For both, it is best to communicate with the customer first.
- Go back to Authentication > Sources and sort again by Type “Active Directory”
10. Modify all the old sources and change the connection security to “AD over SSL”
Delete the test authentication source you created.
- CAUTION: Don’t use this method if the role mappings and/or enforcement policy check the specific authentication source, as this would imply to also modify the role mappings and enforcement policies. Go to Configuration > Services
- Identify the services that use the AD/LDAP authentication source (generally look for dot1x services that indicate the use of active directory and for services related to logging in to ClearPass itself). In order to be sure that you don’t miss any services, you should check every service in use. Under Authentication > Authentication Sources, you can select the new LDAPS source you created and add it. Make sure it is in front of the old source. Click save at the bottom.
- Check the access tracker. Make sure that the new authentication source is being used and the output is successful.
- Delete the old authentication source in the service
DONE. You can optionally remove the old authentication source, or you can leave it in case of fallback.
- Add a new authentication source, go to Authentication > Sources
- Fill in the information about the LDAP/AD and choose AD over SSL as connection security.
- Go to Administration > Certificates > Trust List
- Import the CA certificate used by the LDAP server.
Share the post