03-21-2017 11:18 AM
I've been looking through the forums and from what I can understand, the "Authorization Required" option in the "Edit Authentication Method" box is to compare the Username in the certificate agianst AD. Is this correct? Does this add additional security? What is a good use case for this?
Also, I've tried to enable it and when I do, I get an error in the logs saying that the user can't be found. When I uncheck/disable it, it authenticates just fine. Trying to fiure out what might be the issue.
Solved! Go to Solution.
03-21-2017 11:21 AM
Please post screenshots of the alert and summary tabs from access tracker.
03-21-2017 11:37 AM
It looks to be just sAMAccountName. But I don't know much about setting up attributes. I've attached what I beleive you are asking for. If I need to add userPrincipalName, is this done in the "Filter Query" under the Filter Name...which we have labeled "Authentication"? And is it either or? Or both? ...like both sAMAccountName and userPrincipalName? Thanks!
03-21-2017 11:43 AM
First confirm in AD that the username presented is indeed the user's UPN.
If you want to support both username formats, replace your Authentication filter query with:
Ideally, you should choose one username format from a user experience standpoint. Fully qualified username (UPN) is always my recommendation these days.
03-21-2017 12:39 PM
If you have enabled Username strip in the 802.1x service, please disable and try EAP TLS authentication with authorization enabled. Also, please make sure that you have added the correct AD authentication source in the 802.1x service.