How to authenticate machines from same AD domain, if some of them contain a added suffix in username


As an admin if one has a setup, where some of the domain machines contain extra suffix in username (possibly through GPO push). In such a case how can we authenticate all the machines in CPPM?


Prerequisites:-  We assume that the user knows how to add AD auth source on CPPM and also how to create service rules in a Service.


We can break this issue into two parts:

  • If we have machines from different domains
  • If we have machines in same domain but different full name (some include suffix)


For the first scenario, it is easy to setup two services based on different domains (under the service > service rule). Have a specific auth source (pointing to the specific AD domain server). We can achieve the same in a single service too (having multiple auth source) using both AD domains. However we need to make sure that the machine names should not match in both domains.

As in ClearPass the auth source would be checked in hierarchical manner (top to bottom). If there is a match (username) in first auth source, then CPPM would not go the the next auth source in the list.


For the second scenario, we know that machines are from same domain and some of the machines have a suffix added to them (via GPO). Now here we can create two different services and distinguish them based on the Authentication: Full Username Attribute (in the Service > service rule).

Say 1st service with service rule : Authentication : Username : contains : host/

For second service : Authentication : Full-Username : contains :

Also we need to make a copy of the AD auth source here. In one of the auth source we need to enable "Always user NETBIOS name" checkbox. 



The reason we copied the auth source and enabled the NETBIOS check was because the auths would otherwise fail for machines with suffix in username. As it will take the suffix "workstation" in this example as a sub-domain and as this sub-domain does not exist auths would fail.

(could see following error in the access tracker dashboard log : "Did not find socket directory for domain Returning /var/avenda/tips/samba/samba_ORG/winbindd_privileged")

Now we need to use this (above mentioned) auth source (With NETBIOS checkbox) in the second service. Since the NETBIOS name remains the same for these machines (say "ABC"), we would be able to auth all the machines now successfully.

Version history
Revision #:
2 of 2
Last update:
‎02-21-2017 03:27 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: