Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User not found in onboard devices repository

This thread has been viewed 2 times

  • 1.  User not found in onboard devices repository

    Posted May 29, 2017 11:44 AM

    Dear community,

     

    I've been scratching my head over the following issue, I hope you guys can help.

     

    I've got dual SSID onboarding set up using the built-in wizard and some minor adjustments to include AD auth. The process works fine until the device has been successfully onboarded and enters the  'Onboard Provisioning' service. I'm getting an authentication error telling me my username has not been found.

     

    Debug log:

    DEBUG RadiusServer.Radius - radius_xlat: 'SELECT user_credential(password) AS User_Password, CASE WHEN enabled = FALSE THEN 225 WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226 WHEN approval_status != 'Approved' THEN 227 ELSE 0 END AS Account_Status, sponsor_name FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('********')::text) AND (app_name = 'Onboard'))'
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): Reserving sql socket id: 31
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): User ******** not found
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): Released sql socket id: 31
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): User not found

    I tinkered a bit with pgAdmin to test the query being used as filter in the authentication source.

     

    SELECT user_credential(password) AS User_Password, CASE WHEN enabled = FALSE THEN 225 WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226 WHEN approval_status != 'Approved' THEN 227 ELSE 0 END AS Account_Status, sponsor_name FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('%{Authentication:Username}')::text) AND (app_name = 'Onboard'))

    I've isolated my issue to the following part of the query: 

    (user_id = mdps_username_to_serial('%{Authentication:Username}')::text)

    ClearPass fills this with my authenticated username and gets NULL in return. Removing this portion returns a user but I lose an important check. After reviewing the postgresql function it seems it expects more data in order to return anything but NULL.

     

    RETURN CAST(substring(username from ':(\\d+):(OnboardDevice|mdps_generic)$') AS numeric);

    Using a regex tool I found out if I provide data in the format <username>:<user id of onboarded device>:OnboardDevice, the onboard device filter query starts returning an entry.

     

    Can anyone help me to finish my onboarding service so I can start using it? I feel I've already took a rather deep dive for something possibly quite trivial :-)

     



  • 2.  RE: User not found in onboard devices repository

    EMPLOYEE
    Posted May 29, 2017 11:47 AM
    Did you use the service templates?


  • 3.  RE: User not found in onboard devices repository

    Posted May 29, 2017 11:49 AM

    Indeed I did, added some minor tweaks afterwards to use AD as auth source instead of guest repo.



  • 4.  RE: User not found in onboard devices repository

    EMPLOYEE
    Posted May 29, 2017 09:35 PM

    Please share screenshots of your Onboard Authorization service.



  • 5.  RE: User not found in onboard devices repository

    Posted May 30, 2017 03:36 AM
      |   view attached

    Thanks for having a look Cappalli, I've included the screenshot of the authorization service. I have not changed this yet as I'm still working on the authentication part :-)



  • 6.  RE: User not found in onboard devices repository

    EMPLOYEE
    Posted May 30, 2017 10:47 AM

    Arian,

     

    I see in Authorization service, Active directory is not add in authorization list. Could you add and check the status.

     

    Regards,

    Pavan

    If my post addresses, your query give kudos:)



  • 7.  RE: User not found in onboard devices repository

    Posted May 30, 2017 11:01 AM

    Pavan, 

     

    I did as you suggested without success. I don't see how changing my authorization service fixes the issue I have with my provisioning service?

     

     



  • 8.  RE: User not found in onboard devices repository

    EMPLOYEE
    Posted May 30, 2017 11:06 AM

    Does AD is been added as authentication source in provision service? could you share access tracker log.

     

    Regards,

    Pavan



  • 9.  RE: User not found in onboard devices repository

    Posted May 30, 2017 11:27 AM

    Dear Pavan,

     

    The only place the AD is used for authentication is the pre-auth service, which works just fine. Like I explained, I can onboard devices without issues, but after this process the onboard device repository doesn't seem to return the username associated with the onboarded device, thus failing the authentication.

     

    I've included the logs. Take note of especially the provisioning log related to the onboard device repository:

    Trying to (re)connect unconnected handle 31..
Attempting to connect rlm_sql_unixodbc #31
Connected new DB handle, #31
User a.wubben not found
Released sql socket id: 31
User not found


  • 10.  RE: User not found in onboard devices repository

    EMPLOYEE
    Posted May 30, 2017 11:33 AM
    Please open a TAC case. It’s very difficult to troubleshoot on here.


  • 11.  RE: User not found in onboard devices repository
    Best Answer

    Posted May 30, 2017 12:23 PM
      |   view attached

    Dear Cappelli,

     

    Good advice, I'll do that next time. I've figured it out though! The issue was my AD authentication source. I was using a copy with different base DN settings. This copy didn't contain the username required so naturally authentication failed. After selecting the AD source with full access it succeeded.

     

    Problem solved!