I tried to set this up in my lab and have a working solution. If you duplicate your AD Authentication Source, name it TEAP Computer or so, you can adapt the Filter Query to: (&(sAMAccountName=%{Authentication:TEAP-Method-1-Username})(objectClass=computer)) and then apply that Auth Source as additional Authorization in your service.
Screenshots:
Authentication Source Filter tab (removed some other queries):
Filter for line 1:
Authorization tab in the service:
For the Groups retrieval to work, I added a role mapping:
If you leave this out, you will get the memberOf requested, but Groups is empty.
Then in Access Tracker under Authorization you can see the TEAP Groups, memberOf and UserDN (which in fact is a computer DN ;-):
Now creating a policy based on that should be obvious.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 07, 2022 09:23 AM
From: Sebastien Grim
Subject: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)
Hi Ricardoduarte,
Did you find a solution to your problem ? I'm currently facing the same...
Thank you for your help ;)
Original Message:
Sent: May 02, 2021 06:16 AM
From: Ricardo Duarte
Subject: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)
Ok, I was able to overcome this issue.
One thing I'm missing with TEAP:
- Is it possible to make a query to get the groups the machine is member of?
The TEAP-Method-1-Username is "host/MACHINE.fqdn", and I can't match that with any attribute inside AD. Any way to get it to show as MACHINE$ ?
Thanks.
------------------------------
Ricardo Duarte
Original Message:
Sent: May 01, 2021 07:11 AM
From: Ricardo Duarte
Subject: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)
While this does work, it will not allow me to get any info from LDAP.
The %{Authentication:username} inside LDAP querires doesn't seem to work with TEAP.
------------------------------
Ricardo Duarte
Original Message:
Sent: Apr 29, 2020 10:29 AM
From: Zak Emerick
Subject: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)
Attached is a PDF on how to configure Clearpass authentication using EAP-TEAP, also known as EAP-Chaining.
Environment:
Device: Windows 10 Insider Preview 2004 build 19613.
CPPM: 6.9.0
EAP-TEAP (RFC: 7170) Abstract:
This document defines the Tunnel Extensible Authentication Protocol (TEAP) version 1. TEAP is a tunnel-based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) protocol to establish a mutually authenticated tunnel. Within the tunnel, TLV objects are used to convey authentication-related data between the EAP peer and the EAP server.
EAP-TEAPv1 allows for the User and Machine to authenticate during the same session. This will make User + Machine authentication much more graceful.
Instead of relying on the Machine authentication cache in CPPM, you will get the authentication status on the first authentication attempt of both the User and Machine.
NOTE: My original post disappeared for some reason without notice, so I'm posting again. If I have violated a forum rule somehow please let me know.