Security

We are trying to add AD computer account attributes as additional AD authorization source LDAP query.
Our main type of authentication is macauth, and we are unable to use 802.1x machine authentication at this moment. Therefore we are trying to use the endpoint repository hostname for the LDAP query.

Off course using Endpoint DHCP Hostname data as single authentication source itself would be bad, since easily spoofed.

Based on some other solutions offered by the community we have setup a new AD source with the below filter query

(&(cn=%{Authorization:[Endpoints Repository]:Hostname})(objectClass=computer))

 Executing the filter manually with hostname works well.

The service itself is setup with two authentication sources, the [Endpoint Repository] and the created AD Source.

But this still doesnt do the job, the additional attributes do not show up with authentication. Based on some other forum posts it seems others got this working.

The access tracker log has the below error

WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(cn=%{Authorization:Endpoints Repository]:Hostname})(objectClass=computer)), error=No values for param=Authorization:Endpoints Repository]:Hostname

WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(cn=%{Authorization:Endpoints Repository]:Hostname})(objectClass=computer))

Any suggestions are much appreciated!

Arjen

This is not supported.

I suspect the problem here is that the Hostname. Typically with WindowsPC [Endpoint Repository]:Hostname is populated by the DHCP Fingerprint. If this is the first time this device has been connected the Hostname will not be known.

Because of this you either have to place the device into a "profiling" role (ie (Authorization:[Endpoints Repository]:IsProfiled  EQUALS  false) OR(Authorization:[Endpoints Repository]:IsProfiled  NOT_EXISTS) --> Not_Profiled. Hence, the PC initiates DHCP Request - ClearPass hopefully will record the hostname - if you had configured the Service's Profiler the act of profiling with cause the device to re-authenticate (ie profile transition from <not exist> or at best Unknown to Windows xyz). When the device connects the the device [Endpoint Repository]:Hostname should exist and you LDAP lookup should work.

Thank you dmellor!

Can confirm that the devices are already profiled and have their hostname set in the endpoint profile.

Are you seeing the Hostname in the AccessTracker's Input Authorization fields?

If not you need to add the [Endpoint Repository] to the Authorization fields - see attached.

The access tracker authorization input field indeed contains the hostname field with the computer name as in your attachment.

I think the "Authorization" namespace might not be available yet in your situation.

Try with "Host:Name" or "Endpoint:Hostname" instead.

Without seeing what is being reported in AccessTracker it's rather hard to guess. To this end I suggest you get some debug traces: Set the RADIUS service into DEBUG mode (only do this on a live system at a quiet time - this will affect performance, disable once tested). Perform the test. Export the AccessTracker event. Post it here...