Security

Using EAP-TLS for the connection and all users and devices have a certificate issued by a certificate authority.

 

How does ClearPass process the Computed Attributes and why would it leave out the certificate information especially when EAP-TLS is being used which requires the certificate?

 

When I use the following LDAP query, the certificate information shows up under Computed Attributes:

 

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

 

When I change to the following LDAP query, the Certificate information is no longer included in the Computed Attributes and the query fails. 

 

(&(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))(|(&(objectClass=computer)(distinguishedName=%{Certificate:Subject-DN}))(&(objectClass=user)(distinguishedName=%{Certificate:Subject-DN}))))

 

Nothing is changed on the client, only the LDAP query in the Authentication source has changed.

 

I have manually tested the LDAP query in the ClearPass Authentication Source and it returns a single result with no errors.

The Authentication:Username attribute is pulled based on the attribute(s) you select in the EAP-TLS authentication method. You should not need to modify your filters outside of adding UPN.

 

We have an issue with having duplicate UPNs in our environment and want to use the distinguishedName for the search as it is guaranteed to be unique.  The Subject-DN on the certificates equals the distinguishedName.

 

I have used the EAP-TLS with Do not compare, Compare Distinguished Name and Compare CN or SAN and the query does not work.  I suspect that the Compare Diatinguished Name and Compare CN or SAN is not working because we are not storing the certificates in AD so we cannot do a certificate to certificate comparison.

 

The certificate information does show up in Computed Attributes with the following LDAP query with EAP-TLS set to Do not Compare:

 

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

 

Why would the Computed Attributes change when (distinguishedName=%{Certificate:Subject-DN}) is added to the LDAP query?  The client should still be sending the same information to ClearPass which would include the certificate information.  It is as if ClearPass is dropping the certificate information.

 

We would like to reduce the query to the following until the UPN issue is resolved:

 

(|(&(objectClass=computer)(distinguishedName=%{Certificate:Subject-DN}))(&(objectClass=user)(distinguishedName=%{Certificate:Subject-DN})))

Unfortunately, that query is not possible. No environment should ever have more than one object with the same UPN.

 

Best to work with your Aruba Partner or Aruba TAC to try and figure out a solution. It's difficult to troubleshoot here.

I agree, there should not be more than one object with the same UPN.  We are working to resolve, but it has been an issue for a long time. 

 

Thank You for your help.  I have opened up a support case.

The AD lookup is done based on the username configured in the supplicant, not necessarily the contents of the certificate.

I think that I found out why this query containing the certificate:Subject-DN does not work from looking at the debug logs.

 

The LDAP query is processed in the beginning before the Computed Attributes are enumerated.  Therefore the Certificate:Subject-DN value will be blank at the time it is processed causing the query to not find anything.

 

Thanks for your input, it helped me find the reason that the query was not working.

 

A query like this would only work if the Computed Attributes are processed before the LDAP query is processed.

Yes, correct.