Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Authentication with UPN

This thread has been viewed 11 times

  • 1.  Authentication with UPN

    Posted Jan 09, 2015 02:02 PM

    Employees are currently connecting to the company wireless with their SAM account name.. we are in the midst of changing all authentication to UPN account name.  Is there a way (in Clearpass) for authentication to use SAM and UPN?  eventually it will just be UPN but for the migration, both will be needed.



  • 2.  RE: Authentication with UPN

    EMPLOYEE
    Posted Jan 09, 2015 02:04 PM

    Both are valid, you just need to use the strip rule to remove it prior to authentication:

     

    strip-username.png



  • 3.  RE: Authentication with UPN

    Posted Jan 09, 2015 02:09 PM

    so all I have to do is enable 'Strip Username Rules' and enter "user:@,\:user"



  • 4.  RE: Authentication with UPN

    EMPLOYEE
    Posted Jan 09, 2015 02:10 PM

    Yes. When that is enabled, all of the following will work:

     

    username

    username@domain.com

    DOMAIN\username

    HOST\computer-name.domain.com

     

     

    The nice thing with UPNs is you can make policy decisions based on the authenticating user's domain. This is how eduroam works at its core. You can either do seperate services for each domain or just reference the "Authentication:Full-Username" attribute in a role map or enforcement policy.



  • 5.  RE: Authentication with UPN

    Posted Jan 09, 2015 02:19 PM

    didnt work.. do I need to configure something else?



  • 6.  RE: Authentication with UPN

    EMPLOYEE
    Posted Jan 09, 2015 02:20 PM

    What is ClearPass showing on the alerts tab in access tracker?



  • 7.  RE: Authentication with UPN

    Posted Jan 09, 2015 02:26 PM
     
     
    Error Code:
    216
    Error Category:
    Authentication failure
    Error Message:
    User authentication failed
     Alerts for this Request  
    RADIUSServer - xxx.xxx.xxx.xxx: User not found.
    Server - xxx.xxx.xxx.xxx: User not found.
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure


  • 8.  RE: Authentication with UPN

    EMPLOYEE
    Posted Jan 09, 2015 02:50 PM

    OK. You'll need to modify the authentication filter to be:

     

    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Full-Username})))

     

    authentication-upn.PNG

     

     



  • 9.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:07 PM

    Access tracker now says: Search failed due to bad filter



  • 10.  RE: Authentication with UPN

    EMPLOYEE
    Posted Jan 09, 2015 03:15 PM

    Hm. OK. Try this one:

     

    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

     



  • 11.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:21 PM

    same error



  • 12.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:23 PM

     

    12015-01-09 15:18:53,716[Th 39 Req 1600308 SessId R00043d13-01-54b037ad] ERROR RadiusServer.Radius - rlm_ldap: ldap_search() failed: Bad search filter: (|(&(objectClass=user)(sAMAccountName=))(&(objectClass=user)(userPrincipalâ??Name=rrau)))


  • 13.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:32 PM

    Try this one.

     

    (|(&(objectClass=user)(sAMAccountName=%{Authentica​tion:Username}))(&(objectClass=user)(userPrincipal​Name=%{Authentication:Username})))

     



  • 14.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:37 PM

    bad filter still



  • 15.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:46 PM

    One more try: 

     

    (|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

     



  • 16.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:53 PM

    bad filter still



  • 17.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:53 PM

    I just tested this successfully using both username and UPN.  Confirm your cut/paste did not add any characters.



  • 18.  RE: Authentication with UPN

    Posted Jan 09, 2015 03:59 PM
      |   view attached

    doesnt work.. I confirmed.  see attachment

     

    Server - xxx.xxx.xxx.xxx: Search failed due to bad filter
    Server - xxx.xxx.xxx.xxx: Search failed due to bad filter
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure

     



  • 19.  RE: Authentication with UPN

    Posted Jan 09, 2015 04:13 PM

    What version of CPPM?   I confirmed again it works on my end; see attached pictures.   Attached for easier reading.

     

     

     

     

     

     

     

     

     

     

     

     

     



  • 20.  RE: Authentication with UPN

    Posted Jan 09, 2015 04:17 PM

    6.4.2.68288



  • 21.  RE: Authentication with UPN

    Posted Jan 09, 2015 04:47 PM

    and when I add this filter, UPN and SAM auth fails.