Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

UPN authentication with clearpass and active directory

Jump to Best Answer
  • 1.  UPN authentication with clearpass and active directory

    Posted Sep 24, 2014 09:18 AM

    I have Clearpass authenticating iPhones and Androids.  I need to pass the UPN authentication from Clearpass to Active Directory to have Clearpass make a decision.  Both phones authenticate via a certificate.

     

    My Android phones authenticate with the AD SAM username. EX ncci/ncdlt. The iPhones try to authenticate with the UPN. EX daniel_tominovich@ncci.com.  The Androids work and the iPhones do not.

    How do I get Clearpass to pass the UPN on to AD for authentication?



  • 2.  RE: UPN authentication with clearpass and active directory

    Posted Sep 24, 2014 09:20 AM
    Under the authentication tab (at the bottom), try stripping the domain using the "user:@" syntax.


  • 3.  RE: UPN authentication with clearpass and active directory

    Posted Sep 24, 2014 09:49 AM

    I tried that and it had no effect on the authentication.

    Thanks



  • 4.  RE: UPN authentication with clearpass and active directory
    Best Answer

    Posted Sep 24, 2014 01:16 PM

    Changing from this:

     

    (&(objectClass=user)(sAMAccountName=%{Authentication:Username}))


    to this:
    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

     

    was the fix.



  • 5.  RE: UPN authentication with clearpass and active directory

    Posted Sep 21, 2018 04:37 AM

    Hi!

     

    Many thanks for this authentication filter - still best choice for this scenario.

     

    I've added the AD badPWDCount to the filter so that Clearpass does not pass wrong credentials to AD after 4 tries:

     

    (&(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))(!(badPwdCount>=4)))

     

    With kind regards

    Manfred M.



  • 6.  RE: UPN authentication with clearpass and active directory

    Posted Aug 14, 2020 01:41 PM

    Griaß di Manfred!

     

    Aged post but - thank you for sharing that filter combination.
    Saved me time