Security

There are two different things here: the domain join and the AD Authentication source.

The domain join needed/used only for MSCHAPv2 (PEAP) authentication, and is deprecated because it's security is broken. For WLAN/802.1X you should change to EAP-TLS or TEAP (with EAP-TLS) instead if you care about security. The domain join is similar to a computer joined to the domain, and it will use any of the published domain controllers and if I'm correct it will favor the fastest responding but it may end up with an AD server far away. By setting the password servers you can steer which servers are used, but again only needed for PEAP/MSCHAPv2 authentication which is deprecated. The account that you used to join to the domain should have enough permissions to join the ClearPass to the domain (create a computer account for the ClearPass server), but after that the computer account is used and the account that you joined the account with is no used anymore.

The AD authentication source is used for authorization and typically for group membership checking. It uses LDAP (or better LDAPS over TLS) and is used for authorization, or some authentication scenarios where the cleartext password is available, for example in captive portal. The authentication source uses the servers as configured, a primary server and 1 or more backup servers, which are checked in order. The LDAP conneciton is made with the account configured in the authentication source, and it should be active and have read access into the relevant parts of the AD.

What your next step would be is to verify that the publisher and subscriber can both communicate to the required servers. And with LDAP, and Kerberos (basically: any) in case of PEAP/MSCHAPv2 (which is deprecated and should not be used).

As you mention forest, are the ClearPass servers joined to different domains (in the same forest)? In that case you should use the global catalog for the (LDAP) Authentication Source.

Because a multi-domain configuration with AD can be challening or hard to understand, you may need to work with your ClearPass partner and/or TAC to start with the correct design.

Hi Herman,

For laptop that already joined domain we already use EAP-TLS, but for BYOD we use EAP-PEAP.

When we use EAP-TLS, it works smooth, but when using EAP-PEAP this error happens :

There are two different things here: the domain join and the AD Authentication source.

The domain join needed/used only for MSCHAPv2 (PEAP) authentication, and is deprecated because it's security is broken. For WLAN/802.1X you should change to EAP-TLS or TEAP (with EAP-TLS) instead if you care about security. The domain join is similar to a computer joined to the domain, and it will use any of the published domain controllers and if I'm correct it will favor the fastest responding but it may end up with an AD server far away. By setting the password servers you can steer which servers are used, but again only needed for PEAP/MSCHAPv2 authentication which is deprecated. The account that you used to join to the domain should have enough permissions to join the ClearPass to the domain (create a computer account for the ClearPass server), but after that the computer account is used and the account that you joined the account with is no used anymore.

The AD authentication source is used for authorization and typically for group membership checking. It uses LDAP (or better LDAPS over TLS) and is used for authorization, or some authentication scenarios where the cleartext password is available, for example in captive portal. The authentication source uses the servers as configured, a primary server and 1 or more backup servers, which are checked in order. The LDAP conneciton is made with the account configured in the authentication source, and it should be active and have read access into the relevant parts of the AD.

What your next step would be is to verify that the publisher and subscriber can both communicate to the required servers. And with LDAP, and Kerberos (basically: any) in case of PEAP/MSCHAPv2 (which is deprecated and should not be used).

As you mention forest, are the ClearPass servers joined to different domains (in the same forest)? In that case you should use the global catalog for the (LDAP) Authentication Source.

Because a multi-domain configuration with AD can be challening or hard to understand, you may need to work with your ClearPass partner and/or TAC to start with the correct design.