Regular Expression for User and Machine authentication in an AD Domain

By esupport posted Mar 01, 2017 06:08 AM


You might have a requirement where ClearPass could be joined to multiple domains which do not have a trust relationship, and you have separate authentication sources for each of them. In that case, if you create a single service with all the authentication sources in it we might have a lot of delay in traversing through the list of authentication sources. This article helps us create a regular expression that can be used for service categorization enabling us to create a unique service for each domain.


When you have multiple domain users authenticating you typically need the domain part in the username either in the "netbios\username" format or "" format for user authentication. For machine authentication it would be in "host\" format where xyz is the hostname of the machine.

So we can use the Service Categorization rule "Radius:IETF Username MATCHES_REGEX" for categorizing all requests from a particular domain by creating a regular expression for the corresponding domain.



The Regular Expression for handling both types of user authentication discussed above and also Machine authentication for the Domain  name "" is going to be 



The 1st part of the regular expression highlighted below covers the Machine authentication 




The 2nd part of the regular expression highlighted below covers the User authentication in "netbios\username" format (In this example "domain" is assumed to be the netbios name)




The 3rd part of regular expression highlighted below covers the User authentication in UPN "" format




The regular expression above can be applied to any domain name by replacing the domain name.


For instance if your domain name is "" instead of ""  then the string should like [tT][eE][sS][tT][cC][oO][rR][pP].





As discussed we need to configure a service with the service rule as shown below along with your other service conditions


Once that's done all the users authenticating from "" domain only would be handled by this service. For other domains also we can configure the services by putting in the appropriate regular expression.




Once we put this regular expression in place we should see that this service will only handle users from that particular domain. We need to make sure that the regular expression we are putting is valid.

We can validate regular expressions using this website

We can put the regular expression developed under the Regular Expression field and the sample username under the Test String field

Any match would like below


Any mismatch would look like below