Security

Reply
Contributor II

ClearPass UPN auth and Onboarding

Hi!

 

I´m trying to change our current setup to allow users to use UPN to sign in to the wlan and then onboard their device also using their UPN. 

 

Before using samAccountName this was no problem, but some users don´t even know their samAccountName and We therefore want to use UPN wich is the same as their emailadress.

 

So making the service and ad-connection was no big issue, so I´ve got connecting to the wlan solved.

 

Simply change the service not to strip @ , and added 

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

 

To the filter of ad-connection.

 

But when trying to connect with a onboarded device. It simply will not work. I get "User not found in any authentication source". 

errorcode 201

 

When checking Access-tracker I see that it might be using the wrong username somehow.

 

I want to use firstname.lastname@domain.se

but it simply shows:

Authentication:Username firstname$

I´ve tried multiple things:

changing my AD-query to: Authentication-Fullname

and also changing my 

ONBOARD DEVICE REPOSITORY query to

 

SELECT user_credential(password) AS User_Password,

       CASE WHEN enabled = FALSE THEN 225

            WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226

            WHEN approval_status != 'Approved' THEN 227

            ELSE 0

       END AS Account_Status,

sponsor_name

FROM tips_guest_users

WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('%{Authentication:Full-Username}')::text) AND (app_name = 'Onboard'))

 

But none of it seems to help.The annoying part is the log from access tracker states:

INFO RadiusServer.Radius - rlm_ldap: searching for user firstname.lastname@domain.se in AD:xxxxx  

wich looks correct, but still says 

ERROR RadiusServer.Radius - rlm_eap_tls: User not found in any authentication source, rejecting

in the end.

 

In this link a similar issue is discussed:

http://community.arubanetworks.com/t5/Security/onboard-device-repository-is-NOT-chosen-as-authentication-source/td-p/248951

 

Maybe the sql stuff mentioned at the end of the thread is not the same as I tried ?

 

Also the users UPN and samAccountName are complety different sadly...

/Daniel
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Guru Elite

Re: Clearpass UPN auth and Onboarding

You should not be changing anything other than the AD auth source query.

 

Make sure ONLY your AD source is listed as the auth source for your 802.1X service . You should not be attempting to authenticate against Onboard Device Repo.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Clearpass UPN auth and Onboarding

We are using the same SSID for onboarding and 802.1x. And using computer authentication for corporateclients.

 

So I did as you said and removed onboard repository from the 802.1x service. Made no difference though, still cand find user in ad access tracker says.

 

Also check out these computed attributes from access tracker, Authentication:Username is totaly wrong...

 

Authentication:ErrorCode201
Authentication:Full-Usernamehost/firstname.lastname@domain.se
Authentication:MacAuthNotApplicable
Authentication:OuterMethodEAP-TLS
Authentication:PostureUnknown
Authentication:StatusFailed
Authentication:Usernamefirstname$
/Daniel
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Guru Elite

Re: Clearpass UPN auth and Onboarding

OK, so the issue is not with Onboarded users, it's with corporate AD-joined machines receiving their certificates through ADCS?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Clearpass UPN auth and Onboarding

No, sorry for the confusion. The 802.1x with corporate machines works fine they use AD-PKI. 

 

It´s when using UPN to onboard a device using Clearpass Onboarding CA. It worked fine using samAccountname for the onboarding, just not when we use UPN instead. Tried this with the same useraccount.

 

Also tried with and without stripping these in the service:

\:user,/:user

But makes no difference. Also tried stripping @ but then UPN logon to the WLAN stops working.

/Daniel
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Guru Elite

Re: Clearpass UPN auth and Onboarding

Sorry, this is very difficult to follow.

 

So you're saying the issue only occurs during the Onboard process or post-Onboard when the device authenticates using it's certificate?

 

Might be best to work with your ClearPass partner or Aruba TAC to work in realtime.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Clearpass UPN auth and Onboarding

Yeah, sorry.

 

The onboarding process works fine the device is in the database and my UPN user is listed as owner of the device.

 

It´s when connecting to the WLAN after  the device has been onboarded that I get this issue.

/Daniel
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Guru Elite

Re: Clearpass UPN auth and Onboarding

Please post an access tracker export for the request.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Clearpass UPN auth and Onboarding

 
 
Summary
Login Status:
REJECT
Session Identifier:
R00430b5d-02-5a60b53e
Date and Time:
Jan 18, 2018 15:54:54 CET
End-Host Identifier:
605718937088
 
Username:
host/firstname.lastname@domain.se
Access Device IP/Port:
xx.xx.xx.xx.xx:0
(xxxx-CTRL01 / Aruba)
System Posture Status:
UNKNOWN (100)
 
Policies Used -
Service:
 TEST
Authentication Method:
EAP-TLS
Authentication Source:
None
Authorization Source:
[Endpoints Repository]
Roles:
xxxxxx
Enforcement Profiles:
xxxxxx
Service Monitor Mode:
Disabled
Online Status:
Not Available

 

 Input:

Username:
host/firstname.lastname@domain.se
End-Host Identifier:
605718937088
 
Access Device IP/Port:
xxxxx
(xxxxx-CTRL01 / Aruba)
 
Radius:Aruba:Aruba-AP-GroupTEST
Radius:Aruba:Aruba-Device-TypeWin 10
Radius:Aruba:Aruba-Essid-Namexxxxx
Radius:Aruba:Aruba-Location-Idxxxxxx
Radius:IETF:Called-Station-Id0xxxx
Radius:IETF:Calling-Station-Idxxxx
Radius:IETF:Framed-MTU1100
Radius:IETF:NAS-IdentifierWIFI
Radius:IETF:NAS-IP-Addressxxxxx
Radius:IETF:NAS-Port0
Radius:IETF:NAS-Port-Type19
Radius:IETF:Service-Type2
Radius:IETF:User-Namehost/firstname.lastname@domain.se
 
Authentication:ErrorCode201
Authentication:Full-Usernamehost/firstname.lastname@domain.se
Authentication:MacAuthNotApplicable
Authentication:OuterMethodEAP-TLS
Authentication:PostureUnknown
Authentication:StatusFailed
Authentication:Usernamefirstname$
Authorization:Sources[Endpoints Repository]
Connection:AP-NameXXXX
Connection:Client-Mac-Address605718937088
Connection:Client-Mac-Address-Colon60:57:18:93:70:88
Connection:Client-Mac-Address-Dot6057.1893.7088
Connection:Client-Mac-Address-Hyphen60-57-18-93-70-88
Connection:Client-Mac-Address-NoDelim605718937088
Connection:Client-Mac-Address-Upper-Hyphen60-57-18-93-70-88
Connection:Client-Mac-VendorIntel Corporate
Connection:Dest-IP-AddressXXXXXX
Connection:Dest-Port1812
Connection:NAD-IP-AddressXXXXXX
Connection:ProtocolRADIUS
Connection:Src-IP-AddressXXXXXX
Connection:Src-Port52738
Connection:SSIDXXXXX
Date:Date-Time2018-01-18 15:54:54
Host:FQDNfirstname.lastname@domain.se
Host:Namefirstname

 

 

 

Alerts:

Error Code:
201
Error Category:
Authentication failure
Error Message:
User not found
 Alerts for this Request  
Policy serverFailed to get value for attributes=[Category, Device Name]
RADIUSdomain.se - server.domain.se: User not found.
EAP-TLS: Authentication failure, unknown user

 

/Daniel
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Guru Elite

Re: Clearpass UPN auth and Onboarding

Why are the Onboarded devices configured for machine authentication?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: