Security

Hello!

Use case is that only certain domain computers should be allowed onto the network when logged out.  Just honoring the request - not sure I agree with the need.

What works for PEAP doesn't seem to work for TEAP.  Yes it shows success on TEAP Method-1 (machine, giving the TEAP-MachineAuth Role below), but I cannot then also check a Security Group for computer membership.   Seems as though even a blank, failed Method-2 (user) is what is passed for authorization and errors out or simply does not match.   I even tried to cull that scenario out by checking that a Method-2 user even NOT_EXISTS, but that doesn't seem to ever match a blank, either.   


I found an article suggesting adding a Source parameter called Machine memberOf, but that did not help.   

Is there a way to selectively check AD for Method-1 ID alone?

Thanks!

------------------------------
Gary Hahn
------------------------------

Think you need to modify your AD Authentication source to search for the Method-1 Username. May be easiest to ask TAC, unless you are familiar with customizing Authentication sources, or someone here on the forum has something 'on the shelf' to share.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 29, 2021 10:01 AM
From: Gary Hahn
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Hello!

Use case is that only certain domain computers should be allowed onto the network when logged out.  Just honoring the request - not sure I agree with the need.

What works for PEAP doesn't seem to work for TEAP.  Yes it shows success on TEAP Method-1 (machine, giving the TEAP-MachineAuth Role below), but I cannot then also check a Security Group for computer membership.   Seems as though even a blank, failed Method-2 (user) is what is passed for authorization and errors out or simply does not match.   I even tried to cull that scenario out by checking that a Method-2 user even NOT_EXISTS, but that doesn't seem to ever match a blank, either.   


I found an article suggesting adding a Source parameter called Machine memberOf, but that did not help.   

Is there a way to selectively check AD for Method-1 ID alone?

Thanks!

------------------------------
Gary Hahn
------------------------------

Thanks Herman.   Re-thinking my question a bit, it seems to me that AD would know nothing of TEAP methods, as those are set at the supplicant, so I think really all I'm looking for is that "machine memberof" concept.    That said, ClearPass obvious HAS the information I need by the time the authorization is required, I just need to know how to access it.   I'll open a case if I don't hear something from the group here.  

So... in this case, I want the result of "clearpassgary" membership, not "pdsgary2"; but it seems to use the latter with when checking memberOf; possibly because that's what is interpreted at the Authentication:Username parameter?  I wish the detail logs did a better job of explaining what is checked - I see the pass/fail on both, but not sure why this membership check fails.

2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, memberOf]

------------------------------
Gary Hahn
------------------------------

Original Message:
Sent: Oct 29, 2021 10:57 AM
From: Herman Robers
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Think you need to modify your AD Authentication source to search for the Method-1 Username. May be easiest to ask TAC, unless you are familiar with customizing Authentication sources, or someone here on the forum has something 'on the shelf' to share.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 29, 2021 10:01 AM
From: Gary Hahn
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Hello!

Use case is that only certain domain computers should be allowed onto the network when logged out.  Just honoring the request - not sure I agree with the need.

What works for PEAP doesn't seem to work for TEAP.  Yes it shows success on TEAP Method-1 (machine, giving the TEAP-MachineAuth Role below), but I cannot then also check a Security Group for computer membership.   Seems as though even a blank, failed Method-2 (user) is what is passed for authorization and errors out or simply does not match.   I even tried to cull that scenario out by checking that a Method-2 user even NOT_EXISTS, but that doesn't seem to ever match a blank, either.   


I found an article suggesting adding a Source parameter called Machine memberOf, but that did not help.   

Is there a way to selectively check AD for Method-1 ID alone?

Thanks!

------------------------------
Gary Hahn
------------------------------

Well, you were right and I was wrong, Herman.  So I guess somehow the client reports back the TEAP method username and other related parameters to AD?  Because it was possible to modify the AD source attributes queried in order to use those in authorization.   The filter query matches the servicePrincipalName (host/host.domain.com) with Authentication:TEAP-Method-1-Username.

------------------------------
Gary Hahn
------------------------------

Original Message:
Sent: Oct 30, 2021 05:21 PM
From: Gary Hahn
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Thanks Herman.   Re-thinking my question a bit, it seems to me that AD would know nothing of TEAP methods, as those are set at the supplicant, so I think really all I'm looking for is that "machine memberof" concept.    That said, ClearPass obvious HAS the information I need by the time the authorization is required, I just need to know how to access it.   I'll open a case if I don't hear something from the group here.  

So... in this case, I want the result of "clearpassgary" membership, not "pdsgary2"; but it seems to use the latter with when checking memberOf; possibly because that's what is interpreted at the Authentication:Username parameter?  I wish the detail logs did a better job of explaining what is checked - I see the pass/fail on both, but not sure why this membership check fails.

2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, memberOf]

------------------------------
Gary Hahn

Original Message:
Sent: Oct 29, 2021 10:57 AM
From: Herman Robers
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Think you need to modify your AD Authentication source to search for the Method-1 Username. May be easiest to ask TAC, unless you are familiar with customizing Authentication sources, or someone here on the forum has something 'on the shelf' to share.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 29, 2021 10:01 AM
From: Gary Hahn
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Hello!

Use case is that only certain domain computers should be allowed onto the network when logged out.  Just honoring the request - not sure I agree with the need.

What works for PEAP doesn't seem to work for TEAP.  Yes it shows success on TEAP Method-1 (machine, giving the TEAP-MachineAuth Role below), but I cannot then also check a Security Group for computer membership.   Seems as though even a blank, failed Method-2 (user) is what is passed for authorization and errors out or simply does not match.   I even tried to cull that scenario out by checking that a Method-2 user even NOT_EXISTS, but that doesn't seem to ever match a blank, either.   


I found an article suggesting adding a Source parameter called Machine memberOf, but that did not help.   

Is there a way to selectively check AD for Method-1 ID alone?

Thanks!

------------------------------
Gary Hahn
------------------------------

hi Gary,

i face the same problem that TEAP cannot match specific AD group.

------------------------------
Ivan Yeung
------------------------------

Original Message:
Sent: Nov 08, 2021 04:53 PM
From: Gary Hahn
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Well, you were right and I was wrong, Herman.  So I guess somehow the client reports back the TEAP method username and other related parameters to AD?  Because it was possible to modify the AD source attributes queried in order to use those in authorization.   The filter query matches the servicePrincipalName (host/host.domain.com) with Authentication:TEAP-Method-1-Username.

------------------------------
Gary Hahn

Original Message:
Sent: Oct 30, 2021 05:21 PM
From: Gary Hahn
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Thanks Herman.   Re-thinking my question a bit, it seems to me that AD would know nothing of TEAP methods, as those are set at the supplicant, so I think really all I'm looking for is that "machine memberof" concept.    That said, ClearPass obvious HAS the information I need by the time the authorization is required, I just need to know how to access it.   I'll open a case if I don't hear something from the group here.  

So... in this case, I want the result of "clearpassgary" membership, not "pdsgary2"; but it seems to use the latter with when checking memberOf; possibly because that's what is interpreted at the Authentication:Username parameter?  I wish the detail logs did a better job of explaining what is checked - I see the pass/fail on both, but not sure why this membership check fails.

2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
2021-10-28 10:26:25,759	[AuthReqThreadPool-25-0x7f7ea53e9700 r=R0000008d-01-617ac115 h=66] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, memberOf]

------------------------------
Gary Hahn

Original Message:
Sent: Oct 29, 2021 10:57 AM
From: Herman Robers
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Think you need to modify your AD Authentication source to search for the Method-1 Username. May be easiest to ask TAC, unless you are familiar with customizing Authentication sources, or someone here on the forum has something 'on the shelf' to share.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 29, 2021 10:01 AM
From: Gary Hahn
Subject: ClearPass TEAP Machine Authorization:AD for machine accounts doesn't match rule

Hello!

Use case is that only certain domain computers should be allowed onto the network when logged out.  Just honoring the request - not sure I agree with the need.

What works for PEAP doesn't seem to work for TEAP.  Yes it shows success on TEAP Method-1 (machine, giving the TEAP-MachineAuth Role below), but I cannot then also check a Security Group for computer membership.   Seems as though even a blank, failed Method-2 (user) is what is passed for authorization and errors out or simply does not match.   I even tried to cull that scenario out by checking that a Method-2 user even NOT_EXISTS, but that doesn't seem to ever match a blank, either.   


I found an article suggesting adding a Source parameter called Machine memberOf, but that did not help.   

Is there a way to selectively check AD for Method-1 ID alone?

Thanks!

------------------------------
Gary Hahn
------------------------------