Hi
As the userPrincipalName is oin the form of username@domain.com you will not find the user with the specified query if only the username is specified.
Either you need to provide the full userPrincipalName in the login, or modifying the query to allow to search for the user both with and without the domain suffix.
I usually utilize a query in this format:
- (&(|(userPrincipalName=%{Authentication:Username}@domain.com)(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))
- (distinguishedName=%{memberOf})
- (&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
- (&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
- (distinguishedName=%{Onboard memberOf})
Breaking down the first statement I have added to the query to search not only for the userPrincipalName.
Instead I search for three different formats of the username in two AD attributes.
- userPrincipalName and appending the domain, useful if the user only provides firstname.lastname. Also the needed syntax if the domain part is stripped in the Service configuration
- sAMAccountName, useful if the user provides the old Windows account name.
- userPrincipalName without modifications
You may also strip any domain name from the user name in the service. If the domain suffix is removed you have to modify the the query to match all domain suffixes your users can have.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: May 17, 2024 11:00 AM
From: Patrick Walton
Subject: Clearpass error code 201 - User not present in AD?
I am trying to set up a new TACACS+ service that will check Active Directory for administrator accounts. Our Clearpass servers are AD joined and I have an AD authentication source setup using the default values. I can browse the AD tree and see the users in an OU.
Our current AAA platform does not require us to pass domains along with the admin username, eg.
domain\admin
or
admin@sub.domain.com
So I am trying to set this up so it follows the same pattern of logging in with a simple 'admin' username. We don't need to strip anything from the username currently.
What I am running into is a consistent error 201 that Clearpass cannot find the user in the tree. I have the base DN of our authentication source at the top of the tree and using a subtree search. The default attributes/filters are:
1. (&(userPrincipalName=%{Authentication:Username})(objectClass=user))
2. (distinguishedName=%{memberOf})
3. (&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
4. (&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
5. (distinguishedName=%{Onboard memberOf})
I am seeing the following in the access tracker:
User 'admin' not present in dc_01(dc-01.sub.domain.com).
Failed to authenticate user=admin
(Note that the name 'admin' here is just what I'm inputting to scrub usernames from the forum and not the actual name I'm trying to authenticate with)
I've tried pointing the base DN to the specific OU I see the users in, adjusting the filters, and can't seem to get Clearpass to find the users. Any help pointing me in the right direction would be appreciated!