Security

 View Only
  • 1.  Users showing as DOMAIN\user@domain.com

    Posted May 18, 2021 11:36 AM
    Edited by ricardoduarte May 18, 2021 11:36 AM
    Hi,

    I'm getting an issue where some of my users username show in ClearPass as DOMAIN\user@domain.com.
    And while I'm using "Strip Username Rules" as user:@,\:user , it only strips part of the username and the users end ad DOMAIN\user.
    That will then fail to match stuff on my Authorization sources. But does work with Authentication.
    So the users are still able to login but the wrong username then creates a lot of issues for me.

    I can't find a way to fix this. Any idea?

    Thanks

    ------------------------------
    Ricardo Duarte
    ------------------------------


  • 2.  RE: Users showing as DOMAIN\user@domain.com

    Posted May 19, 2021 04:41 AM
    The username is sent by the client (for 802.1X), so you will need to check on the client how to fix this.

    Do you see a specific type of client doing this?
    What type of authentication do you use?
    How are your clients managed/configured for 802.1X?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Users showing as DOMAIN\user@domain.com

    Posted May 19, 2021 07:42 AM
    Hi,

    The problem happens when users enter user@domain.com as their usernames, and the machine is Azure AD joined.
    Unfortunately I do not have "management authority" into those computers, so I'm trying to find a way for ClearPass to cope with this.

    My current workaround is to reject everything with username BEGINS_WITH DOMAIN\.

    Regards

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 4.  RE: Users showing as DOMAIN\user@domain.com

    Posted May 19, 2021 10:02 AM
    Have not seen this before.

    You may check with Aruba Support if they have a solution to this. My persona feeling would be that the client should not send the username like this, but as a workaround, you may try to change the LDAP query to match the full user@domain as well (UPN). This video may get you started, and with some LDAP query knowledge you probably can either create a query that matches each of the variants; or you may be successful in replicating your service, and create separate services for each of them.

    I could consider that other services that depend on the user name, through SSO for example, may experience similar issues. Preventing users from typing their usernames in different formats may be useful anyway on the long term.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Users showing as DOMAIN\user@domain.com

    Posted Sep 06, 2023 01:18 PM

    Ricardo...we have started seeing this issue after upgrading to Windows 11 with Azure AD joined machines.  Did you ever find a solution other than the workaround?