Hi!
I´m trying to change our current setup to allow users to use UPN to sign in to the wlan and then onboard their device also using their UPN.
Before using samAccountName this was no problem, but some users don´t even know their samAccountName and We therefore want to use UPN wich is the same as their emailadress.
So making the service and ad-connection was no big issue, so I´ve got connecting to the wlan solved.
Simply change the service not to strip @ , and added
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))
To the filter of ad-connection.
But when trying to connect with a onboarded device. It simply will not work. I get "User not found in any authentication source".
errorcode 201
When checking Access-tracker I see that it might be using the wrong username somehow.
I want to use firstname.lastname@domain.se
but it simply shows:
Authentication:Username |
firstname$ |
I´ve tried multiple things:
changing my AD-query to: Authentication-Fullname
and also changing my
ONBOARD DEVICE REPOSITORY query to
SELECT user_credential(password) AS User_Password,
CASE WHEN enabled = FALSE THEN 225
WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226
WHEN approval_status != 'Approved' THEN 227
ELSE 0
END AS Account_Status,
sponsor_name
FROM tips_guest_users
WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('%{Authentication:Full-Username}')::text) AND (app_name = 'Onboard'))
But none of it seems to help.The annoying part is the log from access tracker states:
INFO RadiusServer.Radius - rlm_ldap: searching for user firstname.lastname@domain.se in AD:xxxxx
wich looks correct, but still says
ERROR RadiusServer.Radius - rlm_eap_tls: User not found in any authentication source, rejecting
in the end.
In this link a similar issue is discussed:
http://community.arubanetworks.com/t5/Security/onboard-device-repository-is-NOT-chosen-as-authentication-source/td-p/248951
Maybe the sql stuff mentioned at the end of the thread is not the same as I tried ?
Also the users UPN and samAccountName are complety different sadly...