AAA, NAC, Guest Access & BYOD

Regular Expression for User and Machine authentication in an AD Domain
Requirement:

You might have a requirement where ClearPass could be joined to multiple domains which do not have a trust relationship, and you have separate authentication sources for each of them. In that case, if you create a single service with all the authentication sources in it we might have a lot of delay in traversing through the list of authentication sources. This article helps us create a regular expression that can be used for service categorization enabling us to create a unique service for each domain.



Solution:

When you have multiple domain users authenticating you typically need the domain part in the username either in the "netbios\username" format or "username@domain.com" format for user authentication. For machine authentication it would be in "host\xyz.domain.com" format where xyz is the hostname of the machine.

So we can use the Service Categorization rule "Radius:IETF Username MATCHES_REGEX" for categorizing all requests from a particular domain by creating a regular expression for the corresponding domain.

 

 

The Regular Expression for handling both types of user authentication discussed above and also Machine authentication for the Domain  name "domain.com" is going to be 

^(host\\.{1,}\.[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM]|[dD][oO][mM][aA][iI][nN]\\.{1,}|.*\@[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM]) 

 

The 1st part of the regular expression highlighted below covers the Machine authentication 

 

^(host\\.{1,}\.[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM]|[dD][oO][mM][aA][iI][nN]\\.{1,}|.*\@[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM])

 

The 2nd part of the regular expression highlighted below covers the User authentication in "netbios\username" format (In this example "domain" is assumed to be the netbios name)

 

^(host\\.{1,}\.[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM]|[dD][oO][mM][aA][iI][nN]\\.{1,}|.*\@[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM]) 

 

The 3rd part of regular expression highlighted below covers the User authentication in UPN "username@domain.com" format

 

^(host\\.{1,}\.[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM]|[dD][oO][mM][aA][iI][nN]\\.{1,}|.*\@[dD][oO][mM][aA][iI][nN]\.[cC][oO][mM]

 

The regular expression above can be applied to any domain name by replacing the domain name.

 

For instance if your domain name is "testcorp.com" instead of "domain.com"  then the string should like [tT][eE][sS][tT][cC][oO][rR][pP].

 

 

 



Configuration:

As discussed we need to configure a service with the service rule as shown below along with your other service conditions

 

Once that's done all the users authenticating from "domain.com" domain only would be handled by this service. For other domains also we can configure the services by putting in the appropriate regular expression.

 

 



Verification

Once we put this regular expression in place we should see that this service will only handle users from that particular domain. We need to make sure that the regular expression we are putting is valid.

We can validate regular expressions using this website http://www.regexpal.com/

We can put the regular expression developed under the Regular Expression field and the sample username under the Test String field

Any match would like below

 

Any mismatch would look like below

 

 

 

 

 

Version History
Revision #:
2 of 2
Last update:
‎03-01-2017 03:08 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.