Security

 View Only
Expand all | Collapse all

EAP-TLS authentication method setting - authorization required

This thread has been viewed 60 times
  • 1.  EAP-TLS authentication method setting - authorization required

    Posted Mar 22, 2024 12:19 PM

    Would like to verify what this setting is actually checking. Doing my research on this checkbox, I thought this would check if the user account associated with the cert was disabled in AD. However in my testing of a disabled user account, I am still able to fully authenticate (with authZ) with the cert.

    In my auth source, when testing the attribute query for this test user, I can see AD is returning that the account is disabled:

    I thought havinge the Authorization Required checkbox checked would be enough for the radius request to fail given the user account is disabled. Am I wrong?

    Do I need to add additional authZ rules checking for the various userAccoundControl values associated with disabled accounts?



  • 2.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 24, 2024 02:56 AM

    see if this answers it 

    eap-tls-authorization-required



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 28, 2024 11:15 AM

    I have tried the two filters below:

    (|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))
     
    (&(objectClass=user)(|(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username})))

    But each produce this error on the Filter tab:

    However, if I try only this for the filter, the Filter tab works: (&(sAMAccountName=%{Authentication:Username})(objectClass=user))

    Or, if I try this filter, the Filter tab works: (&(userPrincipalName=%{Authentication:Username})(objectClass=user))

    I don't understand why if I "OR" the two using the pipe, it doesn't work?




  • 4.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 28, 2024 03:25 PM

    Hi

    The syntax of this query is "a bit" confusing, at least for me. I have saved some useful syntaxes over the years and are usually using this query:

    (&(|(userPrincipalName=%{Authentication:Username}@domain.com)(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))

    With this syntax the end user can provide the username in the format both with or without the @domain.com and the sAMAccountName format.

    In the syntax above the outer parantesis is AND by the (& in the beginning and the inner is OR by the following (|. So the query is "any username in the given formats" AND of userClass=User.

    Si in your first example the & and | have changed place. In the second I can't see the error, it looks like you just moved the objectClass=user condition



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 28, 2024 04:03 PM

    Jonas, thanks for sharing your query. I tried yours, but I still get the error on the filter tab...

    Here I set your suggested filter (edited for my domain):

    Then over on the Filter tab, I still get this error:




  • 6.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 28, 2024 08:01 PM

    That error you are showing is because you're attempting to run the query with the sAMAccountName set to %{Authentication:Username} rather than a valid value.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 28, 2024 08:02 PM

    And the query I've used for years to enable UPN.

    ******
    <Active Directory Auth Source>
    Modification to existing Authentication filter configuration to enable UPN lookup:

    (|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 29, 2024 09:59 AM

    Maybe I am not understanding the purpose of the Filter tab. I assumed the Filter tab was to verify/check that the filter query entered on the Configuration tab was valid, and returned valid output. Perhaps I am wrong?

    If I enter a rather simple filter query on the Configuration tab such as below:
    (&(sAMAccountName=%{Authentication:Username})(objectClass=user))

    Then head to Attribute tab and enter a valid username, and click execute, it executes fine returning results.
    Then head to the Filter tab, and it loads fine without the error.
    (Noting at the bottom the sAMAccountName still shows as =%{Authentication:Username}, not the test username entered on Attribute tab)

    However if I try a compound query such as the query you provided, following the same steps as above, and still getting a valid response when executing a test user on the Attribute tab, then heading over to the Filter tab I still get the error message. I guess I expected the Filter tab to return either sAMAccountName OR userPrincipalName at the bottom, as that is what the query is after. But again, perhaps I am misunderstanding the usage of the Filter tab.






  • 9.  RE: EAP-TLS authentication method setting - authorization required

    Posted Mar 29, 2024 10:27 AM

    Apologies, wasn't looking at that closely enough.  The "Filter" tab allows you to add attributes to the filter by clicking directly into the returned data.  And correct, a compound query with multiple parameters will result in that error.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: EAP-TLS authentication method setting - authorization required