Security

 View Only
Expand all | Collapse all

ClearPass UPN auth and Onboarding

This thread has been viewed 6 times
  • 1.  ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 08:51 AM

    Hi!

     

    I´m trying to change our current setup to allow users to use UPN to sign in to the wlan and then onboard their device also using their UPN. 

     

    Before using samAccountName this was no problem, but some users don´t even know their samAccountName and We therefore want to use UPN wich is the same as their emailadress.

     

    So making the service and ad-connection was no big issue, so I´ve got connecting to the wlan solved.

     

    Simply change the service not to strip @ , and added 

    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

     

    To the filter of ad-connection.

     

    But when trying to connect with a onboarded device. It simply will not work. I get "User not found in any authentication source". 

    errorcode 201

     

    When checking Access-tracker I see that it might be using the wrong username somehow.

     

    I want to use firstname.lastname@domain.se

    but it simply shows:

    Authentication:Username firstname$

    I´ve tried multiple things:

    changing my AD-query to: Authentication-Fullname

    and also changing my 

    ONBOARD DEVICE REPOSITORY query to

     

    SELECT user_credential(password) AS User_Password,

           CASE WHEN enabled = FALSE THEN 225

                WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226

                WHEN approval_status != 'Approved' THEN 227

                ELSE 0

           END AS Account_Status,

    sponsor_name

    FROM tips_guest_users

    WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('%{Authentication:Full-Username}')::text) AND (app_name = 'Onboard'))

     

    But none of it seems to help.The annoying part is the log from access tracker states:

    INFO RadiusServer.Radius - rlm_ldap: searching for user firstname.lastname@domain.se in AD:xxxxx  

    wich looks correct, but still says 

    ERROR RadiusServer.Radius - rlm_eap_tls: User not found in any authentication source, rejecting

    in the end.

     

    In this link a similar issue is discussed:

    http://community.arubanetworks.com/t5/Security/onboard-device-repository-is-NOT-chosen-as-authentication-source/td-p/248951

     

    Maybe the sql stuff mentioned at the end of the thread is not the same as I tried ?

     

    Also the users UPN and samAccountName are complety different sadly...



  • 2.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 08:58 AM

    You should not be changing anything other than the AD auth source query.

     

    Make sure ONLY your AD source is listed as the auth source for your 802.1X service . You should not be attempting to authenticate against Onboard Device Repo.



  • 3.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 09:19 AM

    We are using the same SSID for onboarding and 802.1x. And using computer authentication for corporateclients.

     

    So I did as you said and removed onboard repository from the 802.1x service. Made no difference though, still cand find user in ad access tracker says.

     

    Also check out these computed attributes from access tracker, Authentication:Username is totaly wrong...

     

    Authentication:ErrorCode201
    Authentication:Full-Usernamehost/firstname.lastname@domain.se
    Authentication:MacAuthNotApplicable
    Authentication:OuterMethodEAP-TLS
    Authentication:PostureUnknown
    Authentication:StatusFailed
    Authentication:Usernamefirstname$


  • 4.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 09:26 AM

    OK, so the issue is not with Onboarded users, it's with corporate AD-joined machines receiving their certificates through ADCS?



  • 5.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 09:31 AM

    No, sorry for the confusion. The 802.1x with corporate machines works fine they use AD-PKI. 

     

    It´s when using UPN to onboard a device using Clearpass Onboarding CA. It worked fine using samAccountname for the onboarding, just not when we use UPN instead. Tried this with the same useraccount.

     

    Also tried with and without stripping these in the service:

    \:user,/:user

    But makes no difference. Also tried stripping @ but then UPN logon to the WLAN stops working.



  • 6.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 09:38 AM

    Sorry, this is very difficult to follow.

     

    So you're saying the issue only occurs during the Onboard process or post-Onboard when the device authenticates using it's certificate?

     

    Might be best to work with your ClearPass partner or Aruba TAC to work in realtime.



  • 7.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 09:40 AM

    Yeah, sorry.

     

    The onboarding process works fine the device is in the database and my UPN user is listed as owner of the device.

     

    It´s when connecting to the WLAN after  the device has been onboarded that I get this issue.



  • 8.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 10:02 AM

    Please post an access tracker export for the request.



  • 9.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 10:10 AM
     
     
    Summary
    Login Status:
    REJECT
    Session Identifier:
    R00430b5d-02-5a60b53e
    Date and Time:
    Jan 18, 2018 15:54:54 CET
    End-Host Identifier:
    605718937088
     
    Username:
    Access Device IP/Port:
    xx.xx.xx.xx.xx:0
    (xxxx-CTRL01 / Aruba)
    System Posture Status:
    UNKNOWN (100)
     
    Policies Used -
    Service:
     TEST
    Authentication Method:
    EAP-TLS
    Authentication Source:
    None
    Authorization Source:
    [Endpoints Repository]
    Roles:
    xxxxxx
    Enforcement Profiles:
    xxxxxx
    Service Monitor Mode:
    Disabled
    Online Status:
    Not Available

     

     Input:

    Username:
    End-Host Identifier:
    605718937088
     
    Access Device IP/Port:
    xxxxx
    (xxxxx-CTRL01 / Aruba)
     
    Radius:Aruba:Aruba-AP-GroupTEST
    Radius:Aruba:Aruba-Device-TypeWin 10
    Radius:Aruba:Aruba-Essid-Namexxxxx
    Radius:Aruba:Aruba-Location-Idxxxxxx
    Radius:IETF:Called-Station-Id0xxxx
    Radius:IETF:Calling-Station-Idxxxx
    Radius:IETF:Framed-MTU1100
    Radius:IETF:NAS-IdentifierWIFI
    Radius:IETF:NAS-IP-Addressxxxxx
    Radius:IETF:NAS-Port0
    Radius:IETF:NAS-Port-Type19
    Radius:IETF:Service-Type2
    Radius:IETF:User-Namehost/firstname.lastname@domain.se
     
    Authentication:ErrorCode201
    Authentication:Full-Usernamehost/firstname.lastname@domain.se
    Authentication:MacAuthNotApplicable
    Authentication:OuterMethodEAP-TLS
    Authentication:PostureUnknown
    Authentication:StatusFailed
    Authentication:Usernamefirstname$
    Authorization:Sources[Endpoints Repository]
    Connection:AP-NameXXXX
    Connection:Client-Mac-Address605718937088
    Connection:Client-Mac-Address-Colon60:57:18:93:70:88
    Connection:Client-Mac-Address-Dot6057.1893.7088
    Connection:Client-Mac-Address-Hyphen60-57-18-93-70-88
    Connection:Client-Mac-Address-NoDelim605718937088
    Connection:Client-Mac-Address-Upper-Hyphen60-57-18-93-70-88
    Connection:Client-Mac-VendorIntel Corporate
    Connection:Dest-IP-AddressXXXXXX
    Connection:Dest-Port1812
    Connection:NAD-IP-AddressXXXXXX
    Connection:ProtocolRADIUS
    Connection:Src-IP-AddressXXXXXX
    Connection:Src-Port52738
    Connection:SSIDXXXXX
    Date:Date-Time2018-01-18 15:54:54
    Host:FQDNfirstname.lastname@domain.se
    Host:Namefirstname

     

     

     

    Alerts:

    Error Code:
    201
    Error Category:
    Authentication failure
    Error Message:
    User not found
     Alerts for this Request  
    Policy serverFailed to get value for attributes=[Category, Device Name]
    RADIUSdomain.se - server.domain.se: User not found.
    EAP-TLS: Authentication failure, unknown user

     



  • 10.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 10:14 AM

    Why are the Onboarded devices configured for machine authentication?



  • 11.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 18, 2018 10:15 AM

    The Certificate is stored in the "local computer" not "local user". One person is responsible for the computer but several might use it. 

     

     

    What looks strange to me is that

    Radius:IETF:User-Namehost/firstname.lastname@domain.se

    Shows up as:

    authentication-username: firstname$

    I thought it should be:

    authentication-username: firstname.lastname@domain.se



  • 12.  RE: ClearPass UPN auth and Onboarding
    Best Answer

    Posted Jan 18, 2018 10:42 AM

    This workflow is not going to work in your environment. You'll need to put them in the user store.

     

    Shared devices under management should use centralized certificate enrollment via ADCS, SCEP or EST.

     

    Th eonly other option is to stop doing authorization against AD and only validate the certificate itself.



  • 13.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 22, 2018 03:06 AM

    Ok, good to know.

     

    So if we change to user store for the certificate. What would happend if another user onboard the same device ? Would the previous users onboard of the same device still be valid ? 



  • 14.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 22, 2018 09:42 AM

    You'd have to configure Onboard to allow multiple certificates to be issued to the same device.



  • 15.  RE: ClearPass UPN auth and Onboarding

    Posted Jan 23, 2018 07:49 AM

    Thanks for the help!

     

    I changed to user store and now it works perfectly. We decided if multiple users share the same device, they will have to onboard the device for themself to get access.