Administrator Guide
Dell Networking W-ClearPass Deployment Guide Preparing for Active Directory Authentication | 93
Chapter 3
Preparing for Active Directory Authentication
This chapter describes the required steps to integrate W-ClearPass Policy Manager and Microsoft Active
Directory. For some use cases, it's required that W-ClearPass is joined to the Active Directory—802.1X
authentication with EAP-PEAP-MSCHAPv2 is one such use case. 802.1X authentication with Active Directory as
the primary authentication source is the focus of this chapter.
In other use cases, such as with Captive Portal authentication, joining W-ClearPass to Active Directory is
optional.
This chapter includes the following information:
l Joining a W-ClearPass Server to an Active Directory Domain
l Adding Active Directory as an Authentication Source to W-ClearPass
l Obtaining and Installing a Signed Certificate From Active Directory
l Manually Testing Login Credentials Against Active Directory
Joining a W-ClearPass Server to an Active Directory Domain
This section contains the following information:
l Introduction
l Confirming the Date and Time Are in Sync
l Joining an Active Directory Domain
l About the Authentication Source and the Authorization Process
l Manually Specifying Active Directory Domain Controllers for Authentication
l Disassociating a W-ClearPass Server From an Active Directory Domain
Introduction
The first task in preparing W-ClearPass for Active Directory® (AD) authentication via EAP-PEAP-CHAP-v2 is to
join the W-ClearPass server to an Active Directory domain. Joining W-ClearPass Policy Manager to an Active
Directory domain allows you to authenticate users and computers that are members of an Active Directory
domain.
Joining W-ClearPass Policy Manager to an Active Directory domain creates a computer account for the W-
ClearPass node in the Active Directory database. Users can then authenticate to the network using 802.1X and
EAP methods, such as PEAP-MSCHAPv2, with their own their own Active Directory credentials.
A one-time procedure to join W-ClearPass Policy Manager to the domain must be performed from an account
that has the ability to join a computer to the domain; if you are unsure whether the administrator account has
the ability to do so, check with your Windows administrator.
Why does W-ClearPass need to join Active Directory to perform EAP-PEAP-MS-CHAPv2 authentication for
802.1x? W-ClearPass Policy Manager needs to be joined to Active Directory because when performing
authentication for a client using EAP-PEAP-MS-CHAPv2, only the password hashes supplied by the user are
used to authenticate against Active Directory. This is done using NT LAN Manager (NTLM) authentication,
which requires Active Directory domain membership.