AAA, NAC, Guest Access & BYOD

How does ClearPass determine the domain the authentication request belongs

Aruba Employee
Q:

How does ClearPass determine the domain the authentication username belongs to, which is crucial when performing MS-CHAPv2 authentication 



A:

ClearPass uses any of these 3 pieces of information to determine the domain the authentication username belongs to 

  1. NETBIOS Name in the username in case of usernames in domain\username format and domain name in the username in case of Machine authentication with host\<Service Prinicipal Name> 
  2. If the authentication username does not have the NETBIOS name, ClearPass searches the authentication source for that username and if the user is found in that authentication source it considers the NETBIOS name of the user to be the same as the authentication source( Please note that ClearPass always fetches the NETBIOS name when creating an authentication source of type AD)
  3. If the authentication source is a Global Catalog and does not have a specific NETBIOS name attached to it, then Clearpass uses the SID that it fetches while searching for the user and compares that to the SID it has in its Samba Domain config file and if they have the same pattern( all SIDs of users belonging to the same domain would have the same pattern), ClearPass considers that the user belongs to that domain

Please note that there is an option  in the authentication source called "Always use NetBIOS name" if you enable that option ClearPass bypasses 1 and always uses 2 to determine the domain the user belongs to.

Also please find below an example of the user SID and the domain SID. The domain SID is part of the domain configuration file and its updated when Clearpass is made part of the domain.

 

A user objectsid in the example, domain nslab.com


user object sid = S-1-5-21-732496151-3845688481-2473524664-1376

SID for Domain nslab.com

domain_sid = S-1-5-21-732496151-3845688481-2473524664

Please see that the SID is the same for the user and domain except for the last few characters in the user SID which tells us that the user belongs to the nslab.com domain in this example

 

Version history
Revision #:
2 of 2
Last update:
‎02-21-2017 05:43 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.