Security

 View Only
  • 1.  ClearPass AD Filter Query - SAM + UPN

    Posted May 06, 2021 08:36 AM
    Hi all,

    I want to change the default filter query for my AD-source, so that a user can identify using the sAMAccountname OR userPrincipalName. 
    I found the following filter on this blog post that adds the UPN to the filter: 

    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

    Once I apply it, It seems that ClearPass cannot contact the authentication source anymore.. I get the following error when trying to login to ClearPass with a AD-administrator (as a AD-test); 

    Error Code:
    Failed to contact AuthSource
     Alerts for this Request:
    Tacacs server search Failed.
    Failed to authenticate user=<userX>


    I don't understand why this is happening, is the filter not complete? Once I reset the filter to default "(&(sAMAccountName=%{Authentication:Username})(objectClass=user))" it works again.

    ------------------------------
    Lex K.
    ------------------------------


  • 2.  RE: ClearPass AD Filter Query - SAM + UPN
    Best Answer

    Posted May 06, 2021 04:29 PM
    Edited by lkrijnen May 07, 2021 02:11 AM
    You can try:

    (&(objectClass=user)(|(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username})))

    Or keep everything as default and enable "Strip Username Rules" under the TACACS service and enter the following in the text box that shows

    user:@

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 3.  RE: ClearPass AD Filter Query - SAM + UPN

    Posted May 07, 2021 02:11 AM
    Edited by lkrijnen May 07, 2021 02:29 AM
    Thank you very much for your reply. Your filter seems to be working!
    Can you explain what went wrong in using my filter query? 

    The reason that stripping the username doesn't work for our case, is because the username (example: Fin098) differs from the email-address of the user (first.lastname@domain.com).

    Thanks anyhow, glad it works now!​

    ------------------------------
    Lex K
    ------------------------------