I am trying to pull authorization info from AD (memberOf, etc.) for onboarded devices. I am finding that Android and Windows devices which use PEAP with unique device credentials are not able to fetch this info for authorzation. I have done this many times with older versions of ClearPass (6.0 - 6.2) by cloning the AD auth source and changing the Authentication filter query from
(&(sAMAccountName=%{Authentication:Username})(objectClass=user)) to
(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)) However this trick does not appear to be working in ClearPass 6.3. In the Access Tracker logs, I get:
WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)), error=No values for param=Onboard:Owner
WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)) So it seems like something has changed with onboarded device info stored in ClearPass.
I also note that there is a default filter for "Onboard MemberOf" in the AD auth source, with the same filter query I listed above. This looks like it should do I what need, however when I include it in the role mapping policy, it does not appear to work, and I do not see the AD group info under the Computed Attributes in Access Tracker.
Does anyone know the proper way to pull this authorization info in ClearPass 6.3?
Thanks!