Security

Reply
Highlighted
All-Decade MVP 2020

Base level "Username" attribute and AD UPN formats

 

New CPPM setup here... just kicking tires.

 

In our domain UPNs can be easily stripped to produce the base username.  So we can use either the Service username stripping rules, or change the filter to query both samlAccountName and userPrincipleName.

 

That allows users to log into a Guest Operator Application service whether they type just their username or (what they understand to be) their email address.

 

CPPM will adjust the Authentication:Username attribute to contain only their base username. However, the top level "Username" attribute seems to keep the UPN when the UPN is used.  Most critically, this is the value used to determine which devices an operator can see under a profile that has the "Only show accounts createdby the operator" option selected.

 

So the users would see one set of devices if they log in by base username, and another set if they log in by "email address", depending on how they logged in when they created the device.

 

Is there a way to update that attribute?

 

Highlighted
Moderator

Re: Base level "Usename" attribute and AD UPN formats

Username is always populated as entered. The strip is only used during lookups.

It is always recommended to reject short names (thus requiring fully qualified usernames) for all workflows.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
All-Decade MVP 2020

Re: Base level "Usename" attribute and AD UPN formats

 

Hrm, well... the backoff strategy that might best serve the users here would be to ban UPNs actually, recommendations be damned.

 

Can we emulate the behavior of the "operator filter" using the User account filter?  I was able to filter on sponsor_name but the freeRADIUS-style variable substitution does not seem to apply here... e.g.

 

sponsor_name=%{Authentication:Username}

...does not seem to do the trick.

 

Is there a different syntax or list of variables that can be injected into the user account filter and session filters?

 

 

Highlighted
Moderator

Re: Base level "Usename" attribute and AD UPN formats

No, you cannot.

The recommendation is to use your existing single sign on solution, which should be using fully qualified usernames.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
All-Decade MVP 2020

Re: Base level "Usename" attribute and AD UPN formats

 

Bummer.  I'll go wishlist that with my SE.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: