Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Can't add MAC to AD users

This thread has been viewed 0 times

  • 1.  Can't add MAC to AD users

    Posted Nov 22, 2019 04:25 AM

    Hi,

     

    I want to try MAC auth with AD as authentication source, I tried adding the clients MAC as AD user but it wont allow me to do that with an error illegal characters (:) in username. I'm using windows server 2016 for this test. The 802.1X authentications are fine. I tried removing collons from the MAC address and that can be saved but then authentications fail saying user not found on AD. Any ideas how MAC auth will work out with AD? Thanks.



  • 2.  RE: Can't add MAC to AD users

    Posted Nov 22, 2019 06:56 AM

    Official answer is that is not supported, and you should use Guest Devices for this.

     

    Workaround I've tried and works, is to create a new authentication source of LDAP type:

    Hostname: dc-server.domain.net
Connection Security:	None
Port:	389
Verify Server Certificate:	true
Bind DN:	cn=svc_Clearpass,ou=Service Accounts,ou=...
Bind Password:	********
Base DN:	ou=Clearpass,ou=Test...
Search Scope:	SubTree Search
LDAP Referrals:	false
Bind User:	false
Password Attribute:	networkAddress
Password Type:	Cleartext
User Certificate:	userCertificate
Attributes:
Filters :	1. (networkAddress=%{Authentication:Username})

    macauth.png

    So bit of a hack, you switch from using the usual password field in AD to something else, in our case we use AD attribute networkAddress. userParameters is there for Cisco IPSK password don't mind about that. We managed to get iPSK working with AD but for MPSK you have to use Guest Devices. That's why we've switches from using this hack to Guest.