https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining
I made the required changes on my end and it works perfectly.
I am able to perform a machine auth, grab the vlan from the location AD attribute and then grab the AD Group the user is in and return that as a user role.
Original Message:
Sent: Sep 04, 2023 02:19 PM
From: pmonardo
Subject: Fetch machine AD Attribute during machine authentication phase
Understood but everything seems to check out with usernames being sent, they all match
EAP-TLS, the authz attributes display
EAP-TEAP Method1 being EAP-TLS, they don't display.
The only thing changing is the authentication method in the service from EAP-TLS to EAP-TEAP which contains EAP-TLS as method 1.
Supplicant configured for smart card or certificate in Method 1, proper root certs are selected, etc.
When moving to EAP-TEAP, the windows machine authenticates just fine, we just can't pull any authz attributes.
-----------------------------------------------------------
EDIT: You started making me think about it some more...
This is the TEAP username being seen as the supplicant asks for the EAP-PEAP/MSCHAPv2 AD user/pass
| Radius:IETF:User-Name employee1
|
Can't fetch machine attrbutes but machine authenticates because it is part of the domain
In EAP-TLS only,
| Radius:IETF:User-Name host/EMPLOYEE1.fqdn.com
|
Username formats are different which would make sense to me (at least)
When looking at the same authz attributes from both authentications, they differ slightly....
Next question is then, how would we accomplish doing machine auth on EAP-TEAP for Method 1, return some machine attributes, do EAP-PEAP/MSCHAPv2 on Method 2 to authenticate the user and grab different attributes. ?
------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
Original Message:
Sent: Sep 04, 2023 08:55 AM
From: Herman Robers
Subject: Fetch machine AD Attribute during machine authentication phase
Depending on the authentication method MSCHAPv2 / TLS (with or without TEAP), the usename as sent by Windows can differ and that can also affect the username lookup including how groups are fetched.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 02, 2023 04:33 PM
From: pmonardo
Subject: Fetch machine AD Attribute during machine authentication phase
This may potentially be a bug, TAC is investigating. This is being tested on the latest version of CPPM as of this writing 6.11.4
If the service gets changed to EAP-TLS only, the machine authorization attributes appear.
Converting it back to EAP-TEAP, only shows the AD User attributes, not the machine ones.
No machine authz attributes above.
So currently we have no choice to use EAP-TLS and machine auth to return the VLAN. Need to investigate how to combine User+Machine auth or hack something together.
------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
Original Message:
Sent: Sep 01, 2023 03:20 PM
From: pmonardo
Subject: Fetch machine AD Attribute during machine authentication phase
Customer has a custom attribute for each COMPUTER in AD. Attirbute is location and that contains a number (e.g. 201) which would be the vlan associated to that laptop.
If that attribute is associated to a user, I can pull that attribute using {%Authorization:ad:location} without issue and return it in an enforcement profile as Aruba-User-Vlan.
Our issue is that this attribute is tied to a computer and attempting to fetch this attribute is proving to be a challenge, i.e we cannot query the machine on Auth.
We are doing EAP-TEAP with method 1 being EAP-TLS and method 2 doing EAP-PEAP/MsCHAPv2.
Is there any way to modify the ad auth source and modify its query so that we can pull this attribute and store it in a variable and eventually in the endpoints repository?
Errors that we see are is that ldap.query fails..
2023-09-01 11:34:11,407 [RequestHandler-1-0x7f40f75fa700 h=318 c=R00000007-02-64f20473] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map2023-09-01 11:34:11,409 [RequestHandler-1-0x7f40f75fa700 r=R00000007-02-64f20473 h=317 c=R00000007-02-64f20473] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **2023-09-01 11:34:11,410 [AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] INFO Ldap.LdapHandle - search: Ignore referral exception, filter=(&(sAMAccountName=)(objectClass=user)) LdapException: , (error=10) Referral2023-09-01 11:34:11,410 [AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf2023-09-01 11:34:11,411 [AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})2023-09-01 11:34:11,411 [AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name2023-09-01 11:34:11,411 [AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))2023-09-01 11:34:11,411 [AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, locationcomputer, memberOf]
Trying to see what we can do/
I know this is not the best or best practice way of performing authentication (customer has lots of work on their AD to do to clean it up) but the requirement currently is that we need to validate the computer against the domain, do a machine auth, return the vlan. Do a user auth to figure out which AD group they are part of and return a particular role with that vlan we retrieved.
any insights or help would be appreciated!
EDIT 2: Tried both EAP-TEAP methods as EAP-TLS, same result even though the username now comes in as the user@fqdn.com
EDIT 3: THIS IS POSSIBLE! Herman you had done this previously in this post
https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining
I made the changes and I got it to work!
------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
------------------------------