Security

 View Only
last person joined: 14 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Jump to Best Answer
This thread has been viewed 26 times
  • 1.  ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

    Posted Oct 29, 2021 10:02 AM
    Hello!

    Use case is that only certain domain computers should be allowed onto the network when logged out.  Just honoring the request - not sure I agree with the need.

    What works for PEAP doesn't seem to work for TEAP.  Yes it shows success on TEAP Method-1 (machine, giving the TEAP-MachineAuth Role below), but I cannot then also check a Security Group for computer membership.   Seems as though even a blank, failed Method-2 (user) is what is passed for authorization and errors out or simply does not match.   I even tried to cull that scenario out by checking that a Method-2 user even NOT_EXISTS, but that doesn't seem to ever match a blank, either.   


    I found an article suggesting adding a Source parameter called Machine memberOf, but that did not help.   

    Is there a way to selectively check AD for Method-1 ID alone?

    Thanks!

    ------------------------------
    Gary Hahn
    ------------------------------


  • 2.  RE: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule
    Best Answer

    EMPLOYEE
    Posted Oct 29, 2021 10:58 AM
    Think you need to modify your AD Authentication source to search for the Method-1 Username. May be easiest to ask TAC, unless you are familiar with customizing Authentication sources, or someone here on the forum has something 'on the shelf' to share.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

    Posted Oct 30, 2021 05:22 PM
    Thanks Herman.   Re-thinking my question a bit, it seems to me that AD would know nothing of TEAP methods, as those are set at the supplicant, so I think really all I'm looking for is that "machine memberof" concept.    That said, ClearPass obvious HAS the information I need by the time the authorization is required, I just need to know how to access it.   I'll open a case if I don't hear something from the group here.  

    So... in this case, I want the result of "clearpassgary" membership, not "pdsgary2"; but it seems to use the latter with when checking memberOf; possibly because that's what is interpreted at the Authentication:Username parameter?  I wish the detail logs did a better job of explaining what is checked - I see the pass/fail on both, but not sure why this membership check fails.


    2021-10-28 10:26:25,759 [AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
    2021-10-28 10:26:25,759 [AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
    2021-10-28 10:26:25,759 [AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, memberOf]



    ------------------------------
    Gary Hahn
    ------------------------------



  • 4.  RE: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

    Posted Nov 08, 2021 04:53 PM
    Well, you were right and I was wrong, Herman.  So I guess somehow the client reports back the TEAP method username and other related parameters to AD?  Because it was possible to modify the AD source attributes queried in order to use those in authorization.   The filter query matches the servicePrincipalName (host/host.domain.com) with Authentication:TEAP-Method-1-Username.

    ------------------------------
    Gary Hahn
    ------------------------------



  • 5.  RE: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

    Posted Nov 23, 2021 10:53 AM
    hi Gary,

    i face the same problem that TEAP cannot match specific AD group.

    ------------------------------
    Ivan Yeung
    ------------------------------