Security

 View Only
last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Different Machine Auth Username since 6.11 Upgrade

This thread has been viewed 14 times
  • 1.  Different Machine Auth Username since 6.11 Upgrade

    Posted 30 days ago

    Hello everybody !

    I was using TEAP-MSCHAPv2 on a cluster of 6.10 appliances for months.

    For the machine authentication, the ServicePrincipalName was used (formatted like host/hostname.domain) but since the upgrade to 6.11, the machine authentication doesn't use the ServicePrincipalName anymore but the sAMaccountName instead (hostname$ format). Because my authorization source was using the ServicePrincipalName in the filters, I can't retrieve the Authorization attributes anymore. A quick fix will to update my authentication source filter to use sAMaccountName but I would like to know why this behavior changed with the upgrade.

    My understanding was that the attribute format was « decided » by the endpoint so that's why it feels strange to me because we didn't touch the endpoints, only an upgrade to 6.11 . When I speak about machine auth username, I mean the TEAP-Method-1-Username computed attribute.

    I hope someone could help me better understand this behavior ! Thanks in advance 



  • 2.  RE: Different Machine Auth Username since 6.11 Upgrade

    Posted 29 days ago

    I can't speak to this exact error but I would look at using certificates for TEAP instead of username/passwords.  




  • 3.  RE: Different Machine Auth Username since 6.11 Upgrade

    Posted 28 days ago

    Thanks for your answer.

    Yes, we are planning to switch to certificate authentication but I'm trying to understand what's happening in the back and why we see different username format just by upgrading ClearPass. But yes, maybe I'm digging to much on this, I just really want to find an explanation every time I see something weird.




  • 4.  RE: Different Machine Auth Username since 6.11 Upgrade

    EMPLOYEE
    Posted 22 days ago

    I've not seen this before. It may be a 'display thing'. Checking through the logs, or doing a packet capture on the RADIUS traffic, may provide you with the information what is the actual username being used. With TEAP there is also anonymous authentication, and in the TEAP method you can select the username that is being used and displayed (instead of the anonymous username); but even then I'm not aware of changes between ClearPass 6.10 and 6.11 on this subject. And I'm in the same understanding that the client decides on the username that is sent, so it does not make sense that upgrading ClearPass would change the username used by the client; but I may be wrong of course.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------