Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC caching with LDAP and check useraccountControl

This thread has been viewed 1 times

  • 1.  MAC caching with LDAP and check useraccountControl

    Posted Feb 07, 2017 06:36 PM

    Hi guys, i didn't want to ask because there are plenty more post with similar questions but i couldn't find one that solve my problem and i couldn't solve it myself.

     

    So right now i have mac-caching enabled and it work, now i want to be able to only assing the Mac Caching Role only if the user account is valid. I have a few questions..

    1. When the user send it username to the WLC and it hits the mac AAA profile with mac authentication enabled the WLC will use the user mac-address as the User-Name in my case (AVP: l=14 t=User-Name(1): dcef09e1cecc)

    2. So my WLC is sendig the radius requests to CPPM so it needs to rely on its authentication sources in this case LDAP. but when i see the LDAP packet capture i see the packet capture i see (Filter: (&(sAMAccountName=dcef09e1cecc)(objectClass=user))

     

    I am not sure if I am looking this from the correct angle but please let me know or point me to the correct direction. Thanks



  • 2.  RE: MAC caching with LDAP and check useraccountControl

    Posted Feb 07, 2017 07:59 PM

    Why do you need MAC caching if you are still evaluating user credentials everytime he connects to the network?



  • 3.  RE: MAC caching with LDAP and check useraccountControl

    EMPLOYEE
    Posted Feb 11, 2017 02:48 PM

    During the initial web authentication, you need to stamp the username to the endpoint repository.

     

    Then you can create a new AD auth source that uses %{Endpoint:Username} in the authentication filter.



  • 4.  RE: MAC caching with LDAP and check useraccountControl

    Posted Feb 15, 2017 09:49 AM

    I got it working, i am curious if it is normal the first time the user is connecting using MacAuth it send the query to ldap looking for the mac-address as the username and only after it fails it goes and query the username that was taken from the Endpoint Database. I guess it is normal but wanted confirmation on that.



  • 5.  RE: MAC caching with LDAP and check useraccountControl
    Best Answer

    EMPLOYEE
    Posted Feb 15, 2017 09:52 AM
    Yes, because the username doesn't exist yet.


  • 6.  RE: MAC caching with LDAP and check useraccountControl

    Posted Apr 01, 2017 12:26 AM

    Hi, i have this weird issue where the user adds the "username" to the endpoint the first time he login via the captive portal but after the idle-timeout expires and it is time to use the mac-auth he still try to send the mac-address to the active directory server instead of using the username that is already stamped into the username field of the endpoint.

     

    I made sure i have the filter (&(sAMAccountName=%{Endpoint:Username})(objectClass=user)) added to the Authentication source, but when i do a packet capture on the active directory server i still see the mac-address as the sAMAaccountName, any ideas why?



  • 7.  RE: MAC caching with LDAP and check useraccountControl

    EMPLOYEE
    Posted Feb 15, 2017 09:52 AM
    Yes, because the username doesn't exist yet.