How does ClearPass determine the domain the authentication username belongs to, which is crucial when performing MS-CHAPv2 authentication
ClearPass uses any of these 3 pieces of information to determine the domain the authentication username belongs to
- NETBIOS Name in the username in case of usernames in domain\username format and domain name in the username in case of Machine authentication with host\<Service Prinicipal Name>
- If the authentication username does not have the NETBIOS name, ClearPass searches the authentication source for that username and if the user is found in that authentication source it considers the NETBIOS name of the user to be the same as the authentication source( Please note that ClearPass always fetches the NETBIOS name when creating an authentication source of type AD)
- If the authentication source is a Global Catalog and does not have a specific NETBIOS name attached to it, then Clearpass uses the SID that it fetches while searching for the user and compares that to the SID it has in its Samba Domain config file and if they have the same pattern( all SIDs of users belonging to the same domain would have the same pattern), ClearPass considers that the user belongs to that domain
Please note that there is an option in the authentication source called "Always use NetBIOS name" if you enable that option ClearPass bypasses 1 and always uses 2 to determine the domain the user belongs to.
Also please find below an example of the user SID and the domain SID. The domain SID is part of the domain configuration file and its updated when Clearpass is made part of the domain.
A user objectsid in the example, domain nslab.com
user object sid = S-1-5-21-732496151-3845688481-2473524664-1376
SID for Domain nslab.com
domain_sid = S-1-5-21-732496151-3845688481-2473524664
Please see that the SID is the same for the user and domain except for the last few characters in the user SID which tells us that the user belongs to the nslab.com domain in this example