Security

Hi.  I've been working on this for the past few days.  I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email.  I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons.   The following is an excerpt from Show Logs. 

The username during the authentication should be the UPN for the Entra ID user.

And does the 'Test Connection' in your Entra ID (Azure AD) Authorization Source work?? Then you know the API tokens are valid at least.

The message you show can be either incorrect API tokens/ids or wrong format of the username (not the UPN) sent to Azure.

Hi.  I've been working on this for the past few days.  I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email.  I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons.   The following is an excerpt from Show Logs. 

Hi Herman -

Thank you for the quick response.  'Test Connection' works and we have the UPN as CN in the user certificate for authentication so we should be good.  One thing I found interesting, is that I use the same filter query - users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Authentication:Username}/users/{id}/memberOf?select=displayName.  However, I have gotten errors when I tried to run this query in the Microsoft Graph Explorer.  I have tweaked the query to work partially.  Take this section of query for example, users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Authentication:Username}, I had to change it to users/?$select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName eq {Authentication:Username} (of course I used my own UPN for this).  Also, what's the correct syntax to inject the ClearPass macro to the query?  Should it be in the format of %{Authentication:Username}

Thanks,

Kawai

The username during the authentication should be the UPN for the Entra ID user.

And does the 'Test Connection' in your Entra ID (Azure AD) Authorization Source work?? Then you know the API tokens are valid at least.

The message you show can be either incorrect API tokens/ids or wrong format of the username (not the UPN) sent to Azure.

Hi.  I've been working on this for the past few days.  I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email.  I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons.   The following is an excerpt from Show Logs. 

The username during the authentication should be the UPN for the Entra ID user.

And does the 'Test Connection' in your Entra ID (Azure AD) Authorization Source work?? Then you know the API tokens are valid at least.

The message you show can be either incorrect API tokens/ids or wrong format of the username (not the UPN) sent to Azure.

Hi.  I've been working on this for the past few days.  I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email.  I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons.   The following is an excerpt from Show Logs. 

We only have azure AD, for Tacacs+ as it does not support authentication, we use local authentication. But user name do we have to use UPN? That means email?  If so how do we ssh into network devices?

The username during the authentication should be the UPN for the Entra ID user.

And does the 'Test Connection' in your Entra ID (Azure AD) Authorization Source work?? Then you know the API tokens are valid at least.

The message you show can be either incorrect API tokens/ids or wrong format of the username (not the UPN) sent to Azure.

Hi.  I've been working on this for the past few days.  I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email.  I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons.   The following is an excerpt from Show Logs. 

Currently, I am using on-prem AD auth source for that. ClearPass only supports OAuth for web based authentications. I think they need to support authentication via Entra ID.

We only have azure AD, for Tacacs+ as it does not support authentication, we use local authentication. But user name do we have to use UPN? That means email?  If so how do we ssh into network devices?

The username during the authentication should be the UPN for the Entra ID user.

And does the 'Test Connection' in your Entra ID (Azure AD) Authorization Source work?? Then you know the API tokens are valid at least.

The message you show can be either incorrect API tokens/ids or wrong format of the username (not the UPN) sent to Azure.

Hi.  I've been working on this for the past few days.  I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email.  I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons.   The following is an excerpt from Show Logs. 

even okay to use local user for authentication, but can clearpass set use SAMaccountname or first part of UPN for authorization? 

Currently, I am using on-prem AD auth source for that. ClearPass only supports OAuth for web based authentications. I think they need to support authentication via Entra ID.

We only have azure AD, for Tacacs+ as it does not support authentication, we use local authentication. But user name do we have to use UPN? That means email?  If so how do we ssh into network devices?

The username during the authentication should be the UPN for the Entra ID user.

And does the 'Test Connection' in your Entra ID (Azure AD) Authorization Source work?? Then you know the API tokens are valid at least.

The message you show can be either incorrect API tokens/ids or wrong format of the username (not the UPN) sent to Azure.

Hi.  I've been working on this for the past few days.  I even have a TAC case opened and they are researching the issues, but basically the filter is not able to pull user attributes such as AccountEnabled, Department, Email.  I have everything setup (including Azure App permission), so that I can perform authentication with cert, but NOT ABLE to use user attributes for authorization because they are not available for some reasons.   The following is an excerpt from Show Logs. 

Hi Harman,

Please guide on how to check if authorization attributes are being fetched from Microsoft Entra id. I don't see any Entra id attributes under "Computed Attributes" section for Entra & apparently enforcement fails for user & user doesn't get access hitting default deny access profile.

Thanks in advance.

Nilesh Kahar.

First of all, make sure that your Entra ID Authorization Source is added for authorization, and actually used in the role-mapping or enforcement, because if it's not used, the lookup will be skipped because there is no possible result for the policy.

Then, make sure that you send the correct identity for the Entra ID Graph API query, some examples above in this discussion, or check the documentation. Bottom line, if you have a query based on the User Principle Name (UPN), make sure that you also send the UPN. If you query on email, or other attibute, make sure that is sent.

If it still doesn't work, you could check the detailed authentication log and see if there is an indication. Or, if it still not works, work with your HPE Aruba Networking partner or TAC to further investigate. 

Hi Harman,

Please guide on how to check if authorization attributes are being fetched from Microsoft Entra id. I don't see any Entra id attributes under "Computed Attributes" section for Entra & apparently enforcement fails for user & user doesn't get access hitting default deny access profile.

Thanks in advance.

Nilesh Kahar.

Hi Herman,

Thank you for your reply. Entra ID connection seems successful via app registration.

Please help if attribute query part for Entra ID is correct, as shown below.

Filter query : users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Authentication:Username} /users/{id}/memberOf?select=displayName

Thanks,

Nilesh Kahar.

First of all, make sure that your Entra ID Authorization Source is added for authorization, and actually used in the role-mapping or enforcement, because if it's not used, the lookup will be skipped because there is no possible result for the policy.

Then, make sure that you send the correct identity for the Entra ID Graph API query, some examples above in this discussion, or check the documentation. Bottom line, if you have a query based on the User Principle Name (UPN), make sure that you also send the UPN. If you query on email, or other attibute, make sure that is sent.

If it still doesn't work, you could check the detailed authentication log and see if there is an indication. Or, if it still not works, work with your HPE Aruba Networking partner or TAC to further investigate. 

Hi Harman,

Please guide on how to check if authorization attributes are being fetched from Microsoft Entra id. I don't see any Entra id attributes under "Computed Attributes" section for Entra & apparently enforcement fails for user & user doesn't get access hitting default deny access profile.

Thanks in advance.

Nilesh Kahar.

Are you on ClearPass 6.12?

There is something weird with that query... where you have the part filter=userPrincipalName, I would expect 'eq %{Authentication:Username}', and the eq is missing, which may be the reason. The screenshot above that you copied seems from ClearPass 6.11 (dated 2022).

Here are the queries that I use at the moment:

1. users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=userPrincipalName eq %{Certificate:Subject-AltName-msUPN};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes2. device:devices?$select=id,deviceId,displayName,approximateLastSignInDateTime,enrollmentType&$filter=deviceId eq %{Certificate:Subject-L};deviceGroups:devices/%{device:id}/memberOf?$select=displayName

Hi Herman,

Thank you for your reply. Entra ID connection seems successful via app registration.

Please help if attribute query part for Entra ID is correct, as shown below.

Filter query : users/?select=mail,userPrincipalName,id,department,accountEnabled&$filter=userPrincipalName%{Authentication:Username} /users/{id}/memberOf?select=displayName

Thanks,

Nilesh Kahar.

First of all, make sure that your Entra ID Authorization Source is added for authorization, and actually used in the role-mapping or enforcement, because if it's not used, the lookup will be skipped because there is no possible result for the policy.

Then, make sure that you send the correct identity for the Entra ID Graph API query, some examples above in this discussion, or check the documentation. Bottom line, if you have a query based on the User Principle Name (UPN), make sure that you also send the UPN. If you query on email, or other attibute, make sure that is sent.

If it still doesn't work, you could check the detailed authentication log and see if there is an indication. Or, if it still not works, work with your HPE Aruba Networking partner or TAC to further investigate. 

Hi Harman,

Please guide on how to check if authorization attributes are being fetched from Microsoft Entra id. I don't see any Entra id attributes under "Computed Attributes" section for Entra & apparently enforcement fails for user & user doesn't get access hitting default deny access profile.

Thanks in advance.

Nilesh Kahar.