You might have a requirement where ClearPass could be joined to multiple domains which do not have a trust relationship, and you have separate authentication sources for each of them. In that case, if you create a single service with all the authentication sources in it we might have a lot of delay in traversing through the list of authentication sources. This article helps us create a regular expression that can be used for service categorization enabling us to create a unique service for each domain.
When you have multiple domain users authenticating you typically need the domain part in the username either in the "netbios\username" format or "email@example.com" format for user authentication. For machine authentication it would be in "host\xyz.domain.com" format where xyz is the hostname of the machine.
So we can use the Service Categorization rule "Radius:IETF Username MATCHES_REGEX" for categorizing all requests from a particular domain by creating a regular expression for the corresponding domain.
The Regular Expression for handling both types of user authentication discussed above and also Machine authentication for the Domain name "domain.com" is going to be
The 1st part of the regular expression highlighted below covers the Machine authentication
The 2nd part of the regular expression highlighted below covers the User authentication in "netbios\username" format (In this example "domain" is assumed to be the netbios name)
The 3rd part of regular expression highlighted below covers the User authentication in UPN "firstname.lastname@example.org" format
The regular expression above can be applied to any domain name by replacing the domain name.
For instance if your domain name is "testcorp.com" instead of "domain.com" then the string should like [tT][eE][sS][tT][cC][oO][rR][pP].
As discussed we need to configure a service with the service rule as shown below along with your other service conditions
Once that's done all the users authenticating from "domain.com" domain only would be handled by this service. For other domains also we can configure the services by putting in the appropriate regular expression.
Once we put this regular expression in place we should see that this service will only handle users from that particular domain. We need to make sure that the regular expression we are putting is valid.
We can validate regular expressions using this website http://www.regexpal.com/
We can put the regular expression developed under the Regular Expression field and the sample username under the Test String field
Any match would like below
Any mismatch would look like below
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.