Security

 View Only
  • 1.  CPPM Auth Source filter query attributes

    Posted Sep 25, 2024 10:14 AM

    Is it possible to use other attributes than %{Authentication:Username} in filter queries, like %{Authentication:Full-Username} ?

    Users are joining our 802.1X network either with sAMAccountName@domain.local or UserPrincipalName@domain.com. To match sAMAccountName in LDAPS we need to strip the name in the service [ user:@ ]. Filter query (sAMAccountName=%{Authentication:Username}) is working.

    To match UserPrincipalName in the same filter we need to add the domain manually, since Username is the stripped one: (userPrincipalName=%{Authentication:Username}@domain.com) is working, too.

    But we use mutliple domain suffixes. Adding each domain manually will cause a complex filter. I thought about using (userPrincipalName=%{Authentication:Full-Username}) since the Full-Username is not stripped and available in the request details. But it's not working. 



  • 2.  RE: CPPM Auth Source filter query attributes

    Posted Sep 25, 2024 10:39 AM

    I always edit the default filter to include UPN in the search.

    ******
    <Active Directory Auth Source>
    Modification to existing Authentication filter configuration to enable UPN lookup:

    (|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: CPPM Auth Source filter query attributes

    Posted Sep 26, 2024 03:38 AM

    We need to use the "Strip" feature in the services for users with "sAMAccountName@domain.local". 

    For now we use two services, one with Strip enabled, one without. Because with strip enabled the userprincipalname gets cut and doesn't match the AD query.

    Since there is the attribute {Authentication:Full-Username} I thought I could use it to comine both services, but it don't work in my Lab.




  • 4.  RE: CPPM Auth Source filter query attributes

    Posted Sep 26, 2024 08:48 AM

    The Full-Username ist the username as received from the client - before the strip user name rules are applied.
    You can customize the LDAP query in the Auth Source, similar to what Carson suggested.
    Compare sAMAccountName with Authentication:Username and sAMAccountName with Authentication:Full-Username. You must link both queries with an "OR".

    (|
      (&
        (sAMAccountName=%{Authentication:Username})
        (objectClass=user))
      (&
        (userPrincipalName=%{Authentication:Full-Username})
        (objectClass=user))
    )



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: CPPM Auth Source filter query attributes

    Posted Sep 26, 2024 10:39 AM

    Yes, this is exactly what I want to use. But it doesn't work. Is it working in your lab with Full-Username?

    Maybe I made it a little bit complicated by explaining why I need to use it. Let's break it down:

    In a service without stripping the username and only using sAMAccountName: Is this filter working for anyone?

    (&
        (sAMAccountName=%{Authentication:Full-Username})
        (objectClass=user))

    In Access Tracker I receive alert: ldap.domain.com - ldap.domain.com: User not found.
    Under Input -> Computed Attributes I can see that Authentication:Full-Username is the same value as Authentication:Username

    If I delete the "Full-" it works properly.




  • 6.  RE: CPPM Auth Source filter query attributes

    Posted Sep 30, 2024 09:06 AM

    I tested it for a long time today, the filter

    (|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Full-Username})(objectClass=user))))

    does not work as expected. The syntax suggests that I have a match if either sAMAccountName equals Username or userPrincipalName equals Full-Username. But something else happens.

    Then I looked at the LDAP query in Wireshark. I have CPPM 6.11.9 and Windows Server 2016 running in the lab, the client has authenticated with EAP-TLS.

    The following happens with every WLAN connection:

    1. ClearPass queries standard attributes, the value for %{Authentication:Full-Username} is omitted. Only sAMAccountName is compared with %{Authentication:Username}.Wireshark shows the value of %{Authentication:Full-Username} as "user", if you take a closer look at the filters, you can see that the value to be queried is missing.

    2. The Windows Server returns objectSid and sAMAccountName. All other attributes are missing in my lab or are empty.

    3. ClearPass then makes a second LDAP query, setting the value %{Authentication:Full-Username} and querying all attributes from the Authentication Filter.

    4. The DC returns the queried attributes

    The important thing is, if the first LDAP query fails (e.g. because I compare sAMAccountName with %{Authentication:Full-Username} (ClearPass omits the value of %{Authentication:Full-Username} again) or because the sAMAccountName contains a different value than the %{Authentication:Username}) - the second query is not executed. The user is not found, ClearPass rejects the authentication.

    It looks like ClearPass always has to compare sAMAccountName with %{Authentication:Username}.

    I had not noticed this behavior before, I often used the attributes userPrincipalName or mail additionally, but I always took %{Authentication:Username} as input.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------