Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Policy Manager - AD sAMAccountName & userPrincipalName

This thread has been viewed 9 times

  • 1.  Clearpass Policy Manager - AD sAMAccountName & userPrincipalName

    Posted Nov 26, 2013 09:46 AM

    I'm in the process of setting up a Clearpass Policy Manager server for our wireless infrastructure and I'm stuck on the configuration of the AD Source, particualarly since in our AD infrastructure we use BOTH sAMAccountName and userPrincipalName.

     

    I was able to get it working with userPrincipalName by going into Sources -> My AD Server -> Attributes -> Authentication -> Edit/Modify -> Filter Query:

     

    (&(objectClass=user)(userPrincipalName=%{Authentication:Username}))

     

    However how do I change this filter query to support both searches for sAMAccountName and userPrincipalName?

     

    Thanks



  • 2.  RE: Clearpass Policy Manager - AD sAMAccountName & userPrincipalName

    EMPLOYEE
    Posted Nov 26, 2013 10:09 AM

    Is your UPN just your sAMAccountName@domain.xyz ?



  • 3.  RE: Clearpass Policy Manager - AD sAMAccountName & userPrincipalName

    Posted Nov 26, 2013 10:11 AM

    No, they are completely different

     

    For example, they are setup as 'first.last@domain.com' and sam is 'flast'



  • 4.  RE: Clearpass Policy Manager - AD sAMAccountName & userPrincipalName
    Best Answer

    EMPLOYEE
    Posted Nov 26, 2013 10:29 AM

    Try this filter:

     

    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

     



  • 5.  RE: Clearpass Policy Manager - AD sAMAccountName & userPrincipalName

    Posted Nov 26, 2013 12:35 PM

    Thanks Tim that did it!



  • 6.  RE: Clearpass Policy Manager - AD sAMAccountName & userPrincipalName

    Posted Apr 16, 2019 08:51 AM

    This post helped a lot. If anyone should need it:

    When you strip the domainname with "user:@,\:user" in your services, you can change the query to add it again, allowing users to login with both sAMAccountName & userPrincipalName in the form of an email address:

     

    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username}@yourdomainname.com)))