Security

Reply
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Authorization attributes for Onboarded PEAP devices

I am trying to pull authorization info from AD (memberOf, etc.) for onboarded devices.  I am finding that Android and Windows devices which use PEAP with unique device credentials are not able to fetch this info for authorzation.  I have done this many times with older versions of ClearPass (6.0 - 6.2) by cloning the AD auth source and changing the Authentication filter query from

(&(sAMAccountName=%{Authentication:Username})(objectClass=user))

 to 

(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))

 However this trick does not appear to be working in ClearPass 6.3.  In the Access Tracker logs, I get:

WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)), error=No values for param=Onboard:Owner
WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))

 So it seems like something has changed with onboarded device info stored in ClearPass.  

 

I also note that there is a default filter for "Onboard MemberOf" in the AD auth source, with the same filter query I listed above.  This looks like it should do I what need, however when I include it in the role mapping policy, it does not appear to work, and I do not see the AD group info under the Computed Attributes in Access Tracker. 

 

Does anyone know the proper way to pull this authorization info in ClearPass 6.3?  

 

Thanks!

 

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Authorization attributes for Onboarded PEAP devices

 

If you haven't you should open a TAC case .

 

I experienced some issues with Radius and TACACs authentications , these were working fine before upgrading from 6.2 to 6.3.

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: