Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Fetch machine AD Attribute during machine authentication phase

This thread has been viewed 33 times
  • 1.  Fetch machine AD Attribute during machine authentication phase

    Posted Sep 01, 2023 03:20 PM

    Customer has a custom attribute for each COMPUTER in AD. Attirbute is location and that contains a number (e.g. 201) which would be the vlan associated to that laptop.

    If that attribute is associated to a user, I can pull that attribute using {%Authorization:ad:location} without issue and return it in an enforcement profile as Aruba-User-Vlan. 

    Our issue is that this attribute is tied to a computer and attempting to fetch this attribute is proving to be a challenge, i.e we cannot query the machine on Auth. 

    We are doing EAP-TEAP with method 1 being EAP-TLS and method 2 doing EAP-PEAP/MsCHAPv2. 

    Is there any way to modify the ad auth source and modify its query so that we can pull this attribute and store it in a variable and eventually in the endpoints repository?

    Errors that we see are is that ldap.query fails..

    2023-09-01 11:34:11,407	[RequestHandler-1-0x7f40f75fa700 h=318 c=R00000007-02-64f20473] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
    2023-09-01 11:34:11,409	[RequestHandler-1-0x7f40f75fa700 r=R00000007-02-64f20473 h=317 c=R00000007-02-64f20473] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2023-09-01 11:34:11,410	[AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] INFO Ldap.LdapHandle - search: Ignore referral exception, filter=(&(sAMAccountName=)(objectClass=user)) LdapException: , (error=10) Referral
    2023-09-01 11:34:11,410	[AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
    2023-09-01 11:34:11,411	[AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
    2023-09-01 11:34:11,411	[AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name
    2023-09-01 11:34:11,411	[AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
    2023-09-01 11:34:11,411	[AuthReqThreadPool-5-0x7f4173dfe700 r=R00000007-02-64f20473 h=30] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, locationcomputer, memberOf]


    Trying to see what we can do/

    I know this is not the best or best practice way of performing authentication (customer has lots of work on their AD to do to clean it up) but the requirement currently is that we need to validate the computer against the domain, do a machine auth, return the vlan. Do a user auth to figure out which AD group they are part of and return a particular role with that vlan we retrieved. 

    any insights or help would be appreciated! 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------


  • 2.  RE: Fetch machine AD Attribute during machine authentication phase

    Posted Sep 02, 2023 04:34 PM

    This may potentially be a bug, TAC is investigating. This is being tested on the latest version of CPPM as of this writing 6.11.4

    If the service gets changed to EAP-TLS only, the machine authorization attributes appear. 

    Converting it back to EAP-TEAP, only shows the AD User attributes, not the machine ones. 

    No machine authz attributes above. 

    So currently we have no choice to use EAP-TLS and machine auth to return the VLAN. Need to investigate how to combine User+Machine auth or hack something together. 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------



  • 3.  RE: Fetch machine AD Attribute during machine authentication phase

    Posted Sep 04, 2023 08:55 AM

    Depending on the authentication method MSCHAPv2 / TLS (with or without TEAP), the usename as sent by Windows can differ and that can also affect the username lookup including how groups are fetched.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Fetch machine AD Attribute during machine authentication phase

    Posted Sep 04, 2023 02:20 PM

    Understood but everything seems to check out with usernames being sent, they all match

    EAP-TLS, the authz attributes display
    EAP-TEAP Method1 being EAP-TLS, they don't display. 

    The only thing changing is the authentication method in the service from EAP-TLS to EAP-TEAP which contains EAP-TLS as method 1.

    Supplicant configured for smart card or certificate in Method 1, proper root certs are selected, etc. 

    When moving to EAP-TEAP, the windows machine authenticates just fine, we just can't pull any authz attributes. 

    -----------------------------------------------------------

    EDIT: You started making me think about it some more...

    This is the TEAP username being seen as the supplicant asks for the EAP-PEAP/MSCHAPv2 AD user/pass

    Radius:IETF:User-Name  employee1

    Can't fetch machine attrbutes but machine authenticates because it is part of the domain

    In EAP-TLS only, 

    Radius:IETF:User-Name  host/EMPLOYEE1.fqdn.com

    Username formats are different which would make sense to me (at least) 

    When looking at the same authz attributes from both authentications, they differ slightly....

    Next question is then, how would we accomplish doing machine auth on EAP-TEAP for Method 1, return some machine attributes, do EAP-PEAP/MSCHAPv2 on Method 2 to authenticate the user and grab different attributes. ? 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------



  • 5.  RE: Fetch machine AD Attribute during machine authentication phase
    Best Answer

    Posted Sep 04, 2023 08:50 PM

    Actually @herman-robers1 you got this to work already in this post

    https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining

    I made the required changes on my end and it works perfectly.

    I am able to perform a machine auth, grab the vlan from the location AD attribute and then grab the AD Group the user is in and return that as a user role. 

    SOLVED! 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------