Apologies, wasn't looking at that closely enough. The "Filter" tab allows you to add attributes to the filter by clicking directly into the returned data. And correct, a compound query with multiple parameters will result in that error.
Original Message:
Sent: Mar 29, 2024 09:58 AM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
Maybe I am not understanding the purpose of the Filter tab. I assumed the Filter tab was to verify/check that the filter query entered on the Configuration tab was valid, and returned valid output. Perhaps I am wrong?
If I enter a rather simple filter query on the Configuration tab such as below:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user))
Then head to Attribute tab and enter a valid username, and click execute, it executes fine returning results.
Then head to the Filter tab, and it loads fine without the error.
(Noting at the bottom the sAMAccountName still shows as =%{Authentication:Username}, not the test username entered on Attribute tab)
However if I try a compound query such as the query you provided, following the same steps as above, and still getting a valid response when executing a test user on the Attribute tab, then heading over to the Filter tab I still get the error message. I guess I expected the Filter tab to return either sAMAccountName OR userPrincipalName at the bottom, as that is what the query is after. But again, perhaps I am misunderstanding the usage of the Filter tab.
Original Message:
Sent: Mar 28, 2024 08:01 PM
From: chulcher
Subject: EAP-TLS authentication method setting - authorization required
That error you are showing is because you're attempting to run the query with the sAMAccountName set to %{Authentication:Username} rather than a valid value.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 28, 2024 04:03 PM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
Jonas, thanks for sharing your query. I tried yours, but I still get the error on the filter tab...
Here I set your suggested filter (edited for my domain):
Then over on the Filter tab, I still get this error:
Original Message:
Sent: Mar 28, 2024 03:25 PM
From: jonas.hammarback
Subject: EAP-TLS authentication method setting - authorization required
Hi
The syntax of this query is "a bit" confusing, at least for me. I have saved some useful syntaxes over the years and are usually using this query:
(&(|(userPrincipalName=%{Authentication:Username}@domain.com)(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))
With this syntax the end user can provide the username in the format both with or without the @domain.com and the sAMAccountName format.
In the syntax above the outer parantesis is AND by the (& in the beginning and the inner is OR by the following (|. So the query is "any username in the given formats" AND of userClass=User.
Si in your first example the & and | have changed place. In the second I can't see the error, it looks like you just moved the objectClass=user condition
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 28, 2024 11:14 AM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
I have tried the two filters below:
(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))
(&(objectClass=user)(|(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username})))
But each produce this error on the Filter tab:
However, if I try only this for the filter, the Filter tab works: (&(sAMAccountName=%{Authentication:Username})(objectClass=user))
Or, if I try this filter, the Filter tab works: (&(userPrincipalName=%{Authentication:Username})(objectClass=user))
I don't understand why if I "OR" the two using the pipe, it doesn't work?
Original Message:
Sent: Mar 24, 2024 02:56 AM
From: ariyap
Subject: EAP-TLS authentication method setting - authorization required
see if this answers it
eap-tls-authorization-required
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Mar 22, 2024 12:18 PM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
Would like to verify what this setting is actually checking. Doing my research on this checkbox, I thought this would check if the user account associated with the cert was disabled in AD. However in my testing of a disabled user account, I am still able to fully authenticate (with authZ) with the cert.
In my auth source, when testing the attribute query for this test user, I can see AD is returning that the account is disabled:
I thought havinge the Authorization Required checkbox checked would be enough for the radius request to fail given the user account is disabled. Am I wrong?
Do I need to add additional authZ rules checking for the various userAccoundControl values associated with disabled accounts?