Security

Hello everybody !

I was using TEAP-MSCHAPv2 on a cluster of 6.10 appliances for months.

For the machine authentication, the ServicePrincipalName was used (formatted like host/hostname.domain) but since the upgrade to 6.11, the machine authentication doesn't use the ServicePrincipalName anymore but the sAMaccountName instead (hostname$ format). Because my authorization source was using the ServicePrincipalName in the filters, I can't retrieve the Authorization attributes anymore. A quick fix will to update my authentication source filter to use sAMaccountName but I would like to know why this behavior changed with the upgrade.

My understanding was that the attribute format was « decided » by the endpoint so that's why it feels strange to me because we didn't touch the endpoints, only an upgrade to 6.11 . When I speak about machine auth username, I mean the TEAP-Method-1-Username computed attribute.

I hope someone could help me better understand this behavior ! Thanks in advance 

I can't speak to this exact error but I would look at using certificates for TEAP instead of username/passwords.  

Hello everybody !

I was using TEAP-MSCHAPv2 on a cluster of 6.10 appliances for months.

For the machine authentication, the ServicePrincipalName was used (formatted like host/hostname.domain) but since the upgrade to 6.11, the machine authentication doesn't use the ServicePrincipalName anymore but the sAMaccountName instead (hostname$ format). Because my authorization source was using the ServicePrincipalName in the filters, I can't retrieve the Authorization attributes anymore. A quick fix will to update my authentication source filter to use sAMaccountName but I would like to know why this behavior changed with the upgrade.

My understanding was that the attribute format was « decided » by the endpoint so that's why it feels strange to me because we didn't touch the endpoints, only an upgrade to 6.11 . When I speak about machine auth username, I mean the TEAP-Method-1-Username computed attribute.

I hope someone could help me better understand this behavior ! Thanks in advance 

Thanks for your answer.

Yes, we are planning to switch to certificate authentication but I'm trying to understand what's happening in the back and why we see different username format just by upgrading ClearPass. But yes, maybe I'm digging to much on this, I just really want to find an explanation every time I see something weird.

I can't speak to this exact error but I would look at using certificates for TEAP instead of username/passwords.  

Hello everybody !

I was using TEAP-MSCHAPv2 on a cluster of 6.10 appliances for months.

For the machine authentication, the ServicePrincipalName was used (formatted like host/hostname.domain) but since the upgrade to 6.11, the machine authentication doesn't use the ServicePrincipalName anymore but the sAMaccountName instead (hostname$ format). Because my authorization source was using the ServicePrincipalName in the filters, I can't retrieve the Authorization attributes anymore. A quick fix will to update my authentication source filter to use sAMaccountName but I would like to know why this behavior changed with the upgrade.

My understanding was that the attribute format was « decided » by the endpoint so that's why it feels strange to me because we didn't touch the endpoints, only an upgrade to 6.11 . When I speak about machine auth username, I mean the TEAP-Method-1-Username computed attribute.

I hope someone could help me better understand this behavior ! Thanks in advance