Security

Reply
Frequent Contributor I
Posts: 271
Registered: ‎09-24-2010

Authentication with UPN

Employees are currently connecting to the company wireless with their SAM account name.. we are in the midst of changing all authentication to UPN account name.  Is there a way (in Clearpass) for authentication to use SAM and UPN?  eventually it will just be UPN but for the migration, both will be needed.

Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Authentication with UPN

Both are valid, you just need to use the strip rule to remove it prior to authentication:

 

strip-username.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 271
Registered: ‎09-24-2010

Re: Authentication with UPN

so all I have to do is enable 'Strip Username Rules' and enter "user:@,\:user"

Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Authentication with UPN

[ Edited ]

Yes. When that is enabled, all of the following will work:

 

username

username@domain.com

DOMAIN\username

HOST\computer-name.domain.com

 

 

The nice thing with UPNs is you can make policy decisions based on the authenticating user's domain. This is how eduroam works at its core. You can either do seperate services for each domain or just reference the "Authentication:Full-Username" attribute in a role map or enforcement policy.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 271
Registered: ‎09-24-2010

Re: Authentication with UPN

didnt work.. do I need to configure something else?

Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Authentication with UPN

What is ClearPass showing on the alerts tab in access tracker?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 271
Registered: ‎09-24-2010

Re: Authentication with UPN

[ Edited ]
 
 
Error Code:
216
Error Category:
Authentication failure
Error Message:
User authentication failed
 Alerts for this Request  
RADIUSServer - xxx.xxx.xxx.xxx: User not found.
Server - xxx.xxx.xxx.xxx: User not found.
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure
Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Authentication with UPN

OK. You'll need to modify the authentication filter to be:

 

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Full-Username})))

 

authentication-upn.PNG

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 271
Registered: ‎09-24-2010

Re: Authentication with UPN

Access tracker now says: Search failed due to bad filter

Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Authentication with UPN

Hm. OK. Try this one:

 

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: