Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass - Palo Alto - Username with domain-name twice

This thread has been viewed 17 times
  • 1.  Clearpass - Palo Alto - Username with domain-name twice

    Posted Dec 07, 2023 07:18 AM

    Hi.

    After experiencing some trouble with the PAN-integration on our Mobility Controllers, we are considering reverting to pushing UserID from Clearpass to Palo Alto.

    During testing we noticed that in the Palo Alto - UserID-log, a lot of users gets username DOMAIN\domain\username.

    Even though in the Access Tracker, all of these have Radius:IETF:User-Name | DOMAIN\username, about 50% ends up at the Palo Alto with a "User provided by source: DOMAIN\domain\username".

    I just can't figure out why. Any ideas?



  • 2.  RE: Clearpass - Palo Alto - Username with domain-name twice

    EMPLOYEE
    Posted Dec 07, 2023 10:14 AM

    May be easiest to have a look at this with TAC. As a start you may look at the postauthcrtl.log (from the Async Network services logs), as you can see there what ClearPass sends out. If you see the duplication there already, it's something in ClearPass to further explore, otherwise focus on the Palo Alto side.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Clearpass - Palo Alto - Username with domain-name twice

    Posted Dec 07, 2023 10:19 AM

    Thanks, I'll look into that.




  • 4.  RE: Clearpass - Palo Alto - Username with domain-name twice

    Posted Dec 07, 2023 11:37 AM

    Looking into the postauth.log it seems like the xml-payload includes DOMAIN\domain\username.

    So I guess I have to look into my Clearpass-setup, Strip Username Rules, Radius:IETF:User-Name (Request and Response) and the Username Transformation in the Endpoint Contect Server-settings. There has to be a combination of settings that gives this result.




  • 5.  RE: Clearpass - Palo Alto - Username with domain-name twice

    Posted Dec 08, 2023 04:40 AM

    Ok, so part of the problem was a config-error. I forgot that the User Transformation on the Endpoint Context server was set to "Prefix NetBIOS name". So that's why I've got the leading DOMAIN\ prefix. Makes sense.Setting this to None or Use Full Username eliminated the duplicate DOMAIN\domain\

    So I guess my real problem is: why does ClearPass sometimes send "domain\username" sometimes just "username"? This even happens with the same user on the same device. 




  • 6.  RE: Clearpass - Palo Alto - Username with domain-name twice

    EMPLOYEE
    Posted Dec 08, 2023 08:33 AM

    ClearPass normally does not do anything with the username, but takes it directly from the authenticating device. Does the same device authenticate on multiple services? For example when OnGuard is running? Or a combination of Web Auth and 802.1X or OnGuard?

    From this point you should also see the same username or domain\username in Access Tracker... from there you may be able to find the source and differences when ClearPass receives the one or the other form.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------