Security

Reply
Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

MAC caching with LDAP and check useraccountControl

Hi guys, i didn't want to ask because there are plenty more post with similar questions but i couldn't find one that solve my problem and i couldn't solve it myself.

 

So right now i have mac-caching enabled and it work, now i want to be able to only assing the Mac Caching Role only if the user account is valid. I have a few questions..

1. When the user send it username to the WLC and it hits the mac AAA profile with mac authentication enabled the WLC will use the user mac-address as the User-Name in my case (AVP: l=14 t=User-Name(1): dcef09e1cecc)

2. So my WLC is sendig the radius requests to CPPM so it needs to rely on its authentication sources in this case LDAP. but when i see the LDAP packet capture i see the packet capture i see (Filter: (&(sAMAccountName=dcef09e1cecc)(objectClass=user))

 

I am not sure if I am looking this from the correct angle but please let me know or point me to the correct direction. Thanks

Contributor II
Posts: 54
Registered: ‎12-01-2016

Re: MAC caching with LDAP and check useraccountControl

[ Edited ]

Why do you need MAC caching if you are still evaluating user credentials everytime he connects to the network?

Jibran Aziz
ACDX | ACCP | ACMP | ACMA | CCIE (RnS, SP, DC) | JNCIS | JNCIA
Guru Elite
Posts: 8,333
Registered: ‎09-08-2010

Re: MAC caching with LDAP and check useraccountControl

During the initial web authentication, you need to stamp the username to the endpoint repository.

 

Then you can create a new AD auth source that uses %{Endpoint:Username} in the authentication filter.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: MAC caching with LDAP and check useraccountControl

I got it working, i am curious if it is normal the first time the user is connecting using MacAuth it send the query to ldap looking for the mac-address as the username and only after it fails it goes and query the username that was taken from the Endpoint Database. I guess it is normal but wanted confirmation on that.

Guru Elite
Posts: 8,333
Registered: ‎09-08-2010

Re: MAC caching with LDAP and check useraccountControl

Yes, because the username doesn't exist yet.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,333
Registered: ‎09-08-2010

Re: MAC caching with LDAP and check useraccountControl

Yes, because the username doesn't exist yet.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: MAC caching with LDAP and check useraccountControl

Hi, i have this weird issue where the user adds the "username" to the endpoint the first time he login via the captive portal but after the idle-timeout expires and it is time to use the mac-auth he still try to send the mac-address to the active directory server instead of using the username that is already stamped into the username field of the endpoint.

 

I made sure i have the filter (&(sAMAccountName=%{Endpoint:Username})(objectClass=user)) added to the Authentication source, but when i do a packet capture on the active directory server i still see the mac-address as the sAMAaccountName, any ideas why?

Search Airheads
Showing results for 
Search instead for 
Did you mean: