Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

cant get ordered filter for attributes

This thread has been viewed 7 times

  • 1.  cant get ordered filter for attributes

    Posted Nov 02, 2012 09:29 AM

    hello

    im getting the following error but still im able to authenticate. do you have any idea why?

     

    2012-11-02 14:23:27,673[AuthReqThreadPool-4-0x4250c940 r=R000001a8-01-5093c94f h=17] ERROR AuthSource.AuthAttributesInfo - Can't get ordered filters for attributes; error in getting filter for attribute cn
    2012-11-02 14:23:27,673[AuthReqThreadPool-4-0x4250c940 r=R000001a8-01-5093c94f h=17] ERROR Ldap.LdapQuery - Failed to get value for attributes=cn]
    2012-11-02 14:23:27,675[RequestHandler-1-0x4431b940 h=6175 c=R000001a8-01-5093c94f] ERROR Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Authorization:AD_Authentication:cn}, error=No values for param=Authorization:AD_Authentication:cn
    2012-11-02 14:23:27,675

    [RequestHandler-1-0x4431b940 h=6175 c=R000001a8-01-5093c94f] ERROR Core.EnfProfileComputer - checkAddAttr: Failed to find finalValue for %{Authorization:AD_Authentication:cn}

     

    Attributes
    Filter:(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))
    Attributes:The following attributes are selected for this filter -
     NameAlias NameEnabled as
    1.DepartmentDepartmentAttribute
    2.MemberOfMemberOfAttribute
    3.mailEmailAttribute
    4.displayNamedisplayNameAttribute
    5.distinguishedNamedistinguishedName

    Attribute



  • 2.  RE: cant get ordered filter for attributes

    EMPLOYEE
    Posted Nov 02, 2012 09:39 AM

    In the Primary Tab of your AD authentication source, did you enter a "Bind User"?  Can you click on "Search Base DN" to see if that LDAP user can browse correctly?

     

     



  • 3.  RE: cant get ordered filter for attributes

    Posted Nov 02, 2012 09:47 AM

    yes i did otherwise i guess nothing would have worked.

     



  • 4.  RE: cant get ordered filter for attributes

    EMPLOYEE
    Posted Nov 02, 2012 09:50 AM

    Without that Bind user, authentication will work but Authorization (retrieving attributes) will not.  Joining domain allows authentication via 802.1x.  Adding a bind user provides authorization on top of that.

     

    You should open a TAC case if the Browse works but you continue to have that error.

     



  • 5.  RE: cant get ordered filter for attributes

    Posted Nov 02, 2012 09:53 AM

    its strange because the log state , there is no hostname

     

    2012-11-02 14:49:22,258[AuthReqThreadPool-1-0x41716940 r=R000001b5-01-5093cf62 h=14] ERROR AuthSource.AuthAttributesInfo - Can't get ordered filters for attributes; error in getting filter for attribute HostName
    2012-11-02 14:49:22,258[AuthReqThreadPool-1-0x41716940 r=R000001b5-01-5093cf62 h=14] ERROR Ldap.LdapQuery - Failed to get value for attributes=HostName]
    2012-11-02 14:49:22,259[RequestHandler-1-0x4431b940 h=6368 c=R000001b5-01-5093cf62] ERROR Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Authorization:AD_Authentication:HostName}, error=No values for param=Authorization:AD_Authentication:HostName
    2012-11-02 14:49:22,259[RequestHandler-1-0x4431b940 h=6368 c=R000001b5-01-5093cf62] ERROR Core.EnfProfileComputer - checkAddAttr: Failed to find finalValue for %{Authorization:AD_Authentication:HostName}

     

    but my attribs are diffrent,

    1.DepartmentDepartment=Attribute  
    2.MemberOfMemberOf=Attribute  
    3.mailEmail=Attribute  
    4.displayNamedisplayName=Attribute  
    5.distinguishedNamedistinguishedName=Attribute  
    6.Click to add...   


  • 6.  RE: cant get ordered filter for attributes

    EMPLOYEE
    Posted Nov 02, 2012 09:58 AM

    You are missing some attributes:

     

    attributes.png

    filter2.png



  • 7.  RE: cant get ordered filter for attributes

    Posted Nov 02, 2012 10:45 AM

    same error why is he looing for hostname

    2012-11-02 15:40:24,717[AuthReqThreadPool-1-0x41716940 r=R000001b6-01-5093db58 h=14] ERROR AuthSource.AuthAttributesInfo - Can't get ordered filters for attributes; error in getting filter for attribute HostName
    2012-11-02 15:40:24,717[AuthReqThreadPool-1-0x41716940 r=R000001b6-01-5093db58 h=14] ERROR Ldap.LdapQuery - Failed to get value for attributes=HostName]
    2012-11-02 15:40:24,717[RequestHandler-1-0x4431b940 r=R000001b6-01-5093db58 h=6400 c=R000001b6-01-5093db58] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
    2012-11-02 15:40:24,718[RequestHandler-1-0x4431b940 h=6399 c=R000001b6-01-5093db58] ERROR Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Authorization:AD_Authentication:HostName}, error=No values for param=Authorization:AD_Authentication:HostName
    2012-11-02 15:40:24,718[RequestHandler-1-0x4431b940 h=6399 c=R000001b6-01-5093db58] ERROR Core.EnfProfileComputer - checkAddAttr: Failed to find finalValue for %{Authorization:AD_Authentication:HostName}


  • 8.  RE: cant get ordered filter for attributes

    EMPLOYEE
    Posted Nov 02, 2012 10:47 AM

    Did you add the filter and the associated attributes?

     

    If you did, please open a support case so that this can be looked into further.

     



  • 9.  RE: cant get ordered filter for attributes

    Posted Nov 02, 2012 10:50 AM

    i only have these two now; it should be enough no?

     

    Filter NameAttribute NameAlias NameEnabled As  
    1.AuthenticationDepartmentDepartmentAttribute  
     MemberOfMemberOfAttribute
     mailEmailAttribute
     displayNamedisplayNameAttribute
     distinguishedNamedistinguishedNameAttribute
    2.MachinednSHostNameHostNameAttribute 

     

     

     

     operatingSystemOperatingSystemAttribute
     operatingSystemServicePackOSServicePack

    Attribute

     
    Filters :

    1. (&(objectClass=user)(sAMAccountName=%{Authentication:Username})) 2. (&(objectClass=computer)(sAMAccountName=%{Host:Name}))



  • 10.  RE: cant get ordered filter for attributes

    Posted Nov 02, 2012 11:12 AM

    i have re-created the service from scratch

    still getting the same error

    [AuthReqThreadPool-1-0x41716940 r=R000001b6-01-5093db58 h=14] ERROR AuthSource.AuthAttributesInfo - Can't get ordered filters for attributes; error in getting filter for attribute HostName

     

    although everything is working fine

     

     



  • 11.  RE: cant get ordered filter for attributes

    EMPLOYEE
    Posted Nov 02, 2012 07:26 PM

    You might have created the filter incorrectly.  If you can, you might want to open a TAC case so that they can get it sorted out.

    Otherwise, it will be rather painful to troubleshoot it here, but we can certainly try...