Security

Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

------------------------------
Henk-Jan Dennenberg
------------------------------

Have you tried filtering with the service rules, or under enforcement using regular expressions? See Link here : https://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Reference/RegularExpressions.htm


------------------------------
Dustin Burns
Lead Mobility Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Oct 05, 2021 02:38 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

------------------------------
Henk-Jan Dennenberg
------------------------------

Sorry for my late reply.

So when i would at the last rule on the screenshot it will not authenticate users where the username starts with a number?



------------------------------
Henk-Jan
------------------------------

Original Message:
Sent: Oct 05, 2021 07:24 AM
From: Dustin Burns
Subject: Filtering in Services

Have you tried filtering with the service rules, or under enforcement using regular expressions? See Link here : https://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Reference/RegularExpressions.htm


------------------------------
Dustin Burns
Lead Mobility Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Oct 05, 2021 02:38 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

------------------------------
Henk-Jan Dennenberg
------------------------------

Henk-Jan,

No, you need the REGEX, not the 'BEGINS_WITH'. I just tested the following in my lab:

Radius:IETF

User-Name

NOT_MATCHES_REGEX

^[0-9].*

Where the ^ = start of line (first character); [0-9] = any character 0-9 (immediately after the start of line); and then .* = . means any character, and * means zero or more times. If you search the internet on 'regex tester', there are online testers to put in the regex ( ^[0-9].* ) and a test string, like 0342342@domain.edu which should not match, and a43242@domain.edu which should match.

Alternatively, you could also create a service before your existing service that uses MATCHES_REGEX ^[0-9].* and use another authentication source like the internal database to send a reject, which then is also logged as a separate service (name it like 'WLAN drop users starting with digit' or something that makes sense) and you can use that to filter in Access Tracker. If you don't do that, the authentications may show up without service selected as they 'fall-through' and that may be confusing in the long term if someone else needs to troubleshoot your deployment.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 14, 2021 03:00 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Sorry for my late reply.

So when i would at the last rule on the screenshot it will not authenticate users where the username starts with a number?

------------------------------
Henk-Jan

Original Message:
Sent: Oct 05, 2021 07:24 AM
From: Dustin Burns
Subject: Filtering in Services

Have you tried filtering with the service rules, or under enforcement using regular expressions? See Link here : https://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Reference/RegularExpressions.htm


------------------------------
Dustin Burns
Lead Mobility Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Oct 05, 2021 02:38 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

------------------------------
Henk-Jan Dennenberg
------------------------------

Herman,

Thank you for your reply.
These things are all new for me. 

What would you suggest how this service have to be configured.

In the service I make a rule to which SSID it applies
And I add the rule you mentioned.

Do I have to make a new role with a role mapping? So yes, what do I have to configure in the role mapping? Nothing or is there something specific that I have to configure? 
When I configure the services I leave the proxy target empty or must I configure a fake radius proxy?
In the enforcement tab I can choose the enforcement policy [Sample Deny Access Policy], is that the one to select here?

Sorry for the many questions, I hope you can help me.

Kind regards Henk-Jan

------------------------------
Henk-Jan Dennenberg
------------------------------

Original Message:
Sent: Oct 14, 2021 03:57 AM
From: Herman Robers
Subject: Filtering in Services

Henk-Jan,

No, you need the REGEX, not the 'BEGINS_WITH'. I just tested the following in my lab:

Radius:IETF

User-Name

NOT_MATCHES_REGEX

^[0-9].*

Where the ^ = start of line (first character); [0-9] = any character 0-9 (immediately after the start of line); and then .* = . means any character, and * means zero or more times. If you search the internet on 'regex tester', there are online testers to put in the regex ( ^[0-9].* ) and a test string, like 0342342@domain.edu which should not match, and a43242@domain.edu which should match.

Alternatively, you could also create a service before your existing service that uses MATCHES_REGEX ^[0-9].* and use another authentication source like the internal database to send a reject, which then is also logged as a separate service (name it like 'WLAN drop users starting with digit' or something that makes sense) and you can use that to filter in Access Tracker. If you don't do that, the authentications may show up without service selected as they 'fall-through' and that may be confusing in the long term if someone else needs to troubleshoot your deployment.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 14, 2021 03:00 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Sorry for my late reply.

So when i would at the last rule on the screenshot it will not authenticate users where the username starts with a number?

------------------------------
Henk-Jan

Original Message:
Sent: Oct 05, 2021 07:24 AM
From: Dustin Burns
Subject: Filtering in Services

Have you tried filtering with the service rules, or under enforcement using regular expressions? See Link here : https://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Reference/RegularExpressions.htm


------------------------------
Dustin Burns
Lead Mobility Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Oct 05, 2021 02:38 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

------------------------------
Henk-Jan Dennenberg
------------------------------

If it is for that 'WLAN drop users starting with digit service'; replicate the service matching parameters, but add the MATCHES_REGEX, and put that service above your normal service that matches all the non-digit-starting accounts. Then add the internal user database in as authentication source, and select EAP-TLS or so as Auth method (or PAP.. but EAP-TLS will definitely not ask on the client for a password if it is for wireless); then use the Sample Deny enforcement policy. No need for role mapping (as authentication will fail anyway), no need for proxy targets, keep the services as simple as possible; and put clear comments in your service, in case someone has a look at it.

Would be good to work with your Aruba Partner or Aruba Support to verify if this is a production deployment. You can break things seriously if you make a mistake.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 14, 2021 04:17 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Herman,

Thank you for your reply.
These things are all new for me. 

What would you suggest how this service have to be configured.

In the service I make a rule to which SSID it applies
And I add the rule you mentioned.

Do I have to make a new role with a role mapping? So yes, what do I have to configure in the role mapping? Nothing or is there something specific that I have to configure? 
When I configure the services I leave the proxy target empty or must I configure a fake radius proxy?
In the enforcement tab I can choose the enforcement policy [Sample Deny Access Policy], is that the one to select here?

Sorry for the many questions, I hope you can help me.

Kind regards Henk-Jan

------------------------------
Henk-Jan Dennenberg

Original Message:
Sent: Oct 14, 2021 03:57 AM
From: Herman Robers
Subject: Filtering in Services

Henk-Jan,

No, you need the REGEX, not the 'BEGINS_WITH'. I just tested the following in my lab:

Radius:IETF

User-Name

NOT_MATCHES_REGEX

^[0-9].*

Where the ^ = start of line (first character); [0-9] = any character 0-9 (immediately after the start of line); and then .* = . means any character, and * means zero or more times. If you search the internet on 'regex tester', there are online testers to put in the regex ( ^[0-9].* ) and a test string, like 0342342@domain.edu which should not match, and a43242@domain.edu which should match.

Alternatively, you could also create a service before your existing service that uses MATCHES_REGEX ^[0-9].* and use another authentication source like the internal database to send a reject, which then is also logged as a separate service (name it like 'WLAN drop users starting with digit' or something that makes sense) and you can use that to filter in Access Tracker. If you don't do that, the authentications may show up without service selected as they 'fall-through' and that may be confusing in the long term if someone else needs to troubleshoot your deployment.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 14, 2021 03:00 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Sorry for my late reply.

So when i would at the last rule on the screenshot it will not authenticate users where the username starts with a number?

------------------------------
Henk-Jan

Original Message:
Sent: Oct 05, 2021 07:24 AM
From: Dustin Burns
Subject: Filtering in Services

Have you tried filtering with the service rules, or under enforcement using regular expressions? See Link here : https://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Reference/RegularExpressions.htm


------------------------------
Dustin Burns
Lead Mobility Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Oct 05, 2021 02:38 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

------------------------------
Henk-Jan Dennenberg
------------------------------

Thank you verymuch Herman, for you fast response and answer.

I will contact my Aruba Partner to check the service i created before I will use it.

I hope to follow a Aruba ClearPass course in februari.

------------------------------
Henk-Jan Dennenberg
------------------------------

Original Message:
Sent: Oct 14, 2021 05:22 AM
From: Herman Robers
Subject: Filtering in Services

If it is for that 'WLAN drop users starting with digit service'; replicate the service matching parameters, but add the MATCHES_REGEX, and put that service above your normal service that matches all the non-digit-starting accounts. Then add the internal user database in as authentication source, and select EAP-TLS or so as Auth method (or PAP.. but EAP-TLS will definitely not ask on the client for a password if it is for wireless); then use the Sample Deny enforcement policy. No need for role mapping (as authentication will fail anyway), no need for proxy targets, keep the services as simple as possible; and put clear comments in your service, in case someone has a look at it.

Would be good to work with your Aruba Partner or Aruba Support to verify if this is a production deployment. You can break things seriously if you make a mistake.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 14, 2021 04:17 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Herman,

Thank you for your reply.
These things are all new for me. 

What would you suggest how this service have to be configured.

In the service I make a rule to which SSID it applies
And I add the rule you mentioned.

Do I have to make a new role with a role mapping? So yes, what do I have to configure in the role mapping? Nothing or is there something specific that I have to configure? 
When I configure the services I leave the proxy target empty or must I configure a fake radius proxy?
In the enforcement tab I can choose the enforcement policy [Sample Deny Access Policy], is that the one to select here?

Sorry for the many questions, I hope you can help me.

Kind regards Henk-Jan

------------------------------
Henk-Jan Dennenberg

Original Message:
Sent: Oct 14, 2021 03:57 AM
From: Herman Robers
Subject: Filtering in Services

Henk-Jan,

No, you need the REGEX, not the 'BEGINS_WITH'. I just tested the following in my lab:

Radius:IETF

User-Name

NOT_MATCHES_REGEX

^[0-9].*

Where the ^ = start of line (first character); [0-9] = any character 0-9 (immediately after the start of line); and then .* = . means any character, and * means zero or more times. If you search the internet on 'regex tester', there are online testers to put in the regex ( ^[0-9].* ) and a test string, like 0342342@domain.edu which should not match, and a43242@domain.edu which should match.

Alternatively, you could also create a service before your existing service that uses MATCHES_REGEX ^[0-9].* and use another authentication source like the internal database to send a reject, which then is also logged as a separate service (name it like 'WLAN drop users starting with digit' or something that makes sense) and you can use that to filter in Access Tracker. If you don't do that, the authentications may show up without service selected as they 'fall-through' and that may be confusing in the long term if someone else needs to troubleshoot your deployment.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 14, 2021 03:00 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Sorry for my late reply.

So when i would at the last rule on the screenshot it will not authenticate users where the username starts with a number?

------------------------------
Henk-Jan

Original Message:
Sent: Oct 05, 2021 07:24 AM
From: Dustin Burns
Subject: Filtering in Services

Have you tried filtering with the service rules, or under enforcement using regular expressions? See Link here : https://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Reference/RegularExpressions.htm


------------------------------
Dustin Burns
Lead Mobility Engineer @WEI

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
If my post was useful accept solution and/or give kudos

Original Message:
Sent: Oct 05, 2021 02:38 AM
From: Henk-Jan Dennenberg
Subject: Filtering in Services

Is it possible with in services -> service to filter that if a username starts with a number it drops the authentication?

------------------------------
Henk-Jan Dennenberg
------------------------------