Dear community,
I've been scratching my head over the following issue, I hope you guys can help.
I've got dual SSID onboarding set up using the built-in wizard and some minor adjustments to include AD auth. The process works fine until the device has been successfully onboarded and enters the 'Onboard Provisioning' service. I'm getting an authentication error telling me my username has not been found.
Debug log:
DEBUG RadiusServer.Radius - radius_xlat: 'SELECT user_credential(password) AS User_Password, CASE WHEN enabled = FALSE THEN 225 WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226 WHEN approval_status != 'Approved' THEN 227 ELSE 0 END AS Account_Status, sponsor_name FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('********')::text) AND (app_name = 'Onboard'))'
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): Reserving sql socket id: 31
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): User ******** not found
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): Released sql socket id: 31
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): User not found
I tinkered a bit with pgAdmin to test the query being used as filter in the authentication source.
SELECT user_credential(password) AS User_Password, CASE WHEN enabled = FALSE THEN 225 WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226 WHEN approval_status != 'Approved' THEN 227 ELSE 0 END AS Account_Status, sponsor_name FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('%{Authentication:Username}')::text) AND (app_name = 'Onboard'))
I've isolated my issue to the following part of the query:
(user_id = mdps_username_to_serial('%{Authentication:Username}')::text)
ClearPass fills this with my authenticated username and gets NULL in return. Removing this portion returns a user but I lose an important check. After reviewing the postgresql function it seems it expects more data in order to return anything but NULL.
RETURN CAST(substring(username from ':(\\d+):(OnboardDevice|mdps_generic)$') AS numeric);
Using a regex tool I found out if I provide data in the format <username>:<user id of onboarded device>:OnboardDevice, the onboard device filter query starts returning an entry.
Can anyone help me to finish my onboarding service so I can start using it? I feel I've already took a rather deep dive for something possibly quite trivial :-)