We've got a PSK SSID tied to Clearpass via an [Allow All MAC Auth] service, that's using the Endpoints Repository, an external SQL database, Static Hosts List, and AD as authorization sources. I'm able to leverage info from all of these sources to assign roles based on context, but I'd like to clean up the AD piece a little bit.
I started by trying to create the filter query to select computer objects where <some AD attribute> matches <some Clearpass variable> but no matter what I tried it wouldn't return any matches. For example, the default Machine filter: (&(sAMAccountName=%{Host:Name}$)(objectClass=computer)). I think %{Host:Name} is only populated when the client does machine authentication, so I tried some others like %{Authorization:[Endpoints Repository]:Hostname}, since clients being in the endpoints repository is a prerequisite before they can hit this enforcement policy. The idea was that in the enforcement policy I could have a simple rule like "Authorization:ADsource <filtername> EXISTS". No luck there either.
Now I've just got the AD source query set to (objectClass=computer) (which returns all computers from AD and fills the authorization attributes section with a lot of ugly data in access tracker), and the enforcement policy rule is "Authorization:ADSource:<filtername> EQUALS_IGNORE_CASE %{Authorization:[Endpoints Repository]:Hostname}". This gives me the desired end result, but the pile of computer names in access tracker/auth attributes is going to bug me.
So - is there a way I can use a variable in the filter query for AD to only pull results that match, for example, %{Authorization:[Endpoints Repository]:Hostname}?