Security

Reply
Highlighted
Occasional Contributor I

UPN authentication with clearpass and active directory

I have Clearpass authenticating iPhones and Androids.  I need to pass the UPN authentication from Clearpass to Active Directory to have Clearpass make a decision.  Both phones authenticate via a certificate.

 

My Android phones authenticate with the AD SAM username. EX ncci/ncdlt. The iPhones try to authenticate with the UPN. EX daniel_tominovich@ncci.com.  The Androids work and the iPhones do not.

How do I get Clearpass to pass the UPN on to AD for authentication?


Accepted Solutions
Highlighted
Occasional Contributor I

Re: UPN authentication with clearpass and active directory

Changing from this:

 

(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))


to this:
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

 

was the fix.

View solution in original post


All Replies
Highlighted
Moderator

Re: UPN authentication with clearpass and active directory

Under the authentication tab (at the bottom), try stripping the domain using the "user:@" syntax.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor I

Re: UPN authentication with clearpass and active directory

I tried that and it had no effect on the authentication.

Thanks

Highlighted
Occasional Contributor I

Re: UPN authentication with clearpass and active directory

Changing from this:

 

(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))


to this:
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

 

was the fix.

View solution in original post

Highlighted
Frequent Contributor I

Re: UPN authentication with clearpass and active directory

Hi!

 

Many thanks for this authentication filter - still best choice for this scenario.

 

I've added the AD badPWDCount to the filter so that Clearpass does not pass wrong credentials to AD after 4 tries:

 

(&(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))(!(badPwdCount>=4)))

 

With kind regards

Manfred M.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: