Frequent Contributor I

Authorization attributes for Onboarded PEAP devices

I am trying to pull authorization info from AD (memberOf, etc.) for onboarded devices.  I am finding that Android and Windows devices which use PEAP with unique device credentials are not able to fetch this info for authorzation.  I have done this many times with older versions of ClearPass (6.0 - 6.2) by cloning the AD auth source and changing the Authentication filter query from




 However this trick does not appear to be working in ClearPass 6.3.  In the Access Tracker logs, I get:

WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)), error=No values for param=Onboard:Owner
WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))

 So it seems like something has changed with onboarded device info stored in ClearPass.  


I also note that there is a default filter for "Onboard MemberOf" in the AD auth source, with the same filter query I listed above.  This looks like it should do I what need, however when I include it in the role mapping policy, it does not appear to work, and I do not see the AD group info under the Computed Attributes in Access Tracker. 


Does anyone know the proper way to pull this authorization info in ClearPass 6.3?  




Re: Authorization attributes for Onboarded PEAP devices


If you haven't you should open a TAC case .


I experienced some issues with Radius and TACACs authentications , these were working fine before upgrading from 6.2 to 6.3.



Thank you

Victor Fabian
Lead Mobility Architect @WEI
Search Airheads
Showing results for 
Search instead for 
Did you mean: