Security

 View Only
last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass error code 201 - User not present in AD?

This thread has been viewed 17 times
  • 1.  Clearpass error code 201 - User not present in AD?

    Posted 24 days ago

    I am trying to set up a new TACACS+ service that will check Active Directory for administrator accounts.  Our Clearpass servers are AD joined and I have an AD authentication source setup using the default values.  I can browse the AD tree and see the users in an OU.

    Our current AAA platform does not require us to pass domains along with the admin username, eg.

    domain\admin 

    or

    admin@sub.domain.com

    So I am trying to set this up so it follows the same pattern of logging in with a simple 'admin' username.  We don't need to strip anything from the username currently.

    What I am running into is a consistent error 201 that Clearpass cannot find the user in the tree.  I have the base DN of our authentication source at the top of the tree and using a subtree search.  The default attributes/filters are:

    1. (&(userPrincipalName=%{Authentication:Username})(objectClass=user))
    2. (distinguishedName=%{memberOf})
    3. (&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
    4. (&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
    5. (distinguishedName=%{Onboard memberOf})

    I am seeing the following in the access tracker:

    User 'admin' not present in dc_01(dc-01.sub.domain.com).
    Failed to authenticate user=admin

    (Note that the name 'admin' here is just what I'm inputting to scrub usernames from the forum and not the actual name I'm trying to authenticate with)

    I've tried pointing the base DN to the specific OU I see the users in, adjusting the filters, and can't seem to get Clearpass to find the users.  Any help pointing me in the right direction would be appreciated!



  • 2.  RE: Clearpass error code 201 - User not present in AD?
    Best Answer

    EMPLOYEE
    Posted 23 days ago

    Your current filter is going to check against the UPN and will be a literal compare as there isn't any wildcard check involved.

    What I would recommend using as a base filter for AD:

    ******
    <Active Directory Auth Source>
    Modification to existing Authentication filter configuration to enable UPN lookup:

    (|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

    ******

    Note that this is still checking for an exact match.

    Two options for loosening the search:

    1. Use a wildcard in the match: (userPrincipalName=%{Authentication:Username}*)
    2. Specify the domain in the query: (userPrincipalName=%{Authentication:Username}@domain.com)

    The first option can result in unexpected matches.  The second option isn't usable if the query includes the domain name, so make sure to enable the stripping rules in the service.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Clearpass error code 201 - User not present in AD?

    Posted 23 days ago

    Thanks @chulcher! It definitely was the filter.  I am able to query for the correct name and authenticate now.




  • 4.  RE: Clearpass error code 201 - User not present in AD?

    Posted 22 days ago

    Hi

    As the userPrincipalName is oin the form of username@domain.com you will not find the user with the specified query if only the username is specified.

    Either you need to provide the full userPrincipalName in the login, or modifying the query to allow to search for the user both with and without the domain suffix.

    I usually utilize a query in this format:

    1. (&(|(userPrincipalName=%{Authentication:Username}@domain.com)(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))
    2. (distinguishedName=%{memberOf})
    3. (&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
    4. (&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
    5. (distinguishedName=%{Onboard memberOf})

    Breaking down the first statement I have added to the query to search not only for the userPrincipalName.
    Instead I search for three different formats of the username in two AD attributes.

    • userPrincipalName and appending the domain, useful if the user only provides firstname.lastname. Also the needed syntax if the domain part is stripped in the Service configuration
    • sAMAccountName, useful if the user provides the old Windows account name.
    • userPrincipalName without modifications

    You may also strip any domain name from the user name in the service. If the domain suffix is removed you have to modify the the query to match all domain suffixes your users can have.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------