That's a much clearer explanation of that checkbox; thank you! So the "authorization required" checkbox is merely verifying that the presented username is found within the specified authentication source - and its not checking whether its enable or disabled - just that it exists.
I will play with the new queries and build some checks into my enforcement policy to reject access if the AD account is found to be disabled.
Original Message:
Sent: Mar 29, 2024 11:47 AM
From: chulcher
Subject: EAP-TLS authentication method setting - authorization required
When using EAP-TLS, the "authentication" is just the certificate validation. Example: client supplies a certificate, ClearPass checks validity, if everything is good and trusted then authentication is "yes". The authorization required check requires that the username provided in the authentication matches an account in whatever authentication source is specified in the service. Example: client supplies a certificate, ClearPass checks validity as good, ClearPass looks up the account in Active Directory and finds a match, then the authentication is "yes".
The queries that I provided above will provide additional filters that you can use in authorization (remember, authentication doesn't care about anything other than certificate validity and maybe account existence) to determine if the session should be allowed.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 29, 2024 11:24 AM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
That circles me back around to my original question. If you are saying I have to check separately if the user account has been disabled, then I am still misunderstanding what the "Authorization Required" checkbox is doing within the EAP-TLS method setup. Could you explain more what this option is doing? The link Ariyap provided was not helpful in answering this for me. I was under the impression that with that checkbox, it was checking if the account was disabled or not - but again I may be wrong here.
I do have my OCSP responder set up and working properly, in addition to ClearPass pointing to CRL as fallback.
My end goal is that if a computer attempts to authenticate that has a valid/non-revoked certificate BUT the user account in AD has been disabled, to reject the authentication request.
Thanks again Carson, I appreciate your help.
Original Message:
Sent: Mar 29, 2024 11:05 AM
From: chulcher
Subject: EAP-TLS authentication method setting - authorization required
With EAP-TLS you have to separately check if the user account has been disabled since the authentication is just a certificate validation and account lookup. Or you have to revoke the certificate and have that check working properly.
Add the following filter to the AD auth source, then you can either assign a role (my preference) or check directly in enforcement.
******
<Active Directory Auth Source>
New filter "Custom-DisabledAccountCheck-User" to check if user account is disabled.
sAMAccountName will "Exist" if the account is disabled.
(&(&(userAccountControl:1.2.840.113556.1.4.803:=2)(samAccountType=805306368))(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user))))
- sAMAccountName: DisabledAccount-User, String
Also useful depending on your setup:
******
<Active Directory Auth Source>
New filter "Custom-DisabledAccountCheck-Endpoint" to check if user account is disabled.
sAMAccountName will "Exist" if the account is disabled.
(&(&(userAccountControl:1.2.840.113556.1.4.803:=2)(samAccountType=805306368))(|(&(sAMAccountName=%{Endpoint:Username})(objectClass=user))(&(userPrincipalName=%{Endpoint:Username})(objectClass=user))))
- sAMAccountName: DisabledAccount-Endpoint, String
******
<Active Directory Auth Source>
New filter "Custom-DisabledAccountCheck-Computer" to check if computer account is disabled.
sAMAccountName will "Exist" if the account is disabled.
(&(userAccountControl:1.2.840.113556.1.4.803:=2)(objectCategory=Computer)(sAMAccountName=%{Authentication:Username})(objectClass=user))
- sAMAccountName: DisabledAccount-Computer, String
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 29, 2024 10:37 AM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
Gotchya. Thanks for confirming, Carson. I was misunderstanding the usage of the Filter tab. Makes sense now.
I will try your suggested query containing the "OR" statement covering both sAMAccountName and userPrincipalName - and then test to see if a user authenticating via EAP-TLS who's domain account has been disabled will in fact be denied authentication.
Original Message:
Sent: Mar 29, 2024 10:26 AM
From: chulcher
Subject: EAP-TLS authentication method setting - authorization required
Apologies, wasn't looking at that closely enough. The "Filter" tab allows you to add attributes to the filter by clicking directly into the returned data. And correct, a compound query with multiple parameters will result in that error.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 29, 2024 09:58 AM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
Maybe I am not understanding the purpose of the Filter tab. I assumed the Filter tab was to verify/check that the filter query entered on the Configuration tab was valid, and returned valid output. Perhaps I am wrong?
If I enter a rather simple filter query on the Configuration tab such as below:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user))
Then head to Attribute tab and enter a valid username, and click execute, it executes fine returning results.
Then head to the Filter tab, and it loads fine without the error.
(Noting at the bottom the sAMAccountName still shows as =%{Authentication:Username}, not the test username entered on Attribute tab)
However if I try a compound query such as the query you provided, following the same steps as above, and still getting a valid response when executing a test user on the Attribute tab, then heading over to the Filter tab I still get the error message. I guess I expected the Filter tab to return either sAMAccountName OR userPrincipalName at the bottom, as that is what the query is after. But again, perhaps I am misunderstanding the usage of the Filter tab.
Original Message:
Sent: Mar 28, 2024 08:01 PM
From: chulcher
Subject: EAP-TLS authentication method setting - authorization required
That error you are showing is because you're attempting to run the query with the sAMAccountName set to %{Authentication:Username} rather than a valid value.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 28, 2024 04:03 PM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
Jonas, thanks for sharing your query. I tried yours, but I still get the error on the filter tab...
Here I set your suggested filter (edited for my domain):
Then over on the Filter tab, I still get this error:
Original Message:
Sent: Mar 28, 2024 03:25 PM
From: jonas.hammarback
Subject: EAP-TLS authentication method setting - authorization required
Hi
The syntax of this query is "a bit" confusing, at least for me. I have saved some useful syntaxes over the years and are usually using this query:
(&(|(userPrincipalName=%{Authentication:Username}@domain.com)(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))
With this syntax the end user can provide the username in the format both with or without the @domain.com and the sAMAccountName format.
In the syntax above the outer parantesis is AND by the (& in the beginning and the inner is OR by the following (|. So the query is "any username in the given formats" AND of userClass=User.
Si in your first example the & and | have changed place. In the second I can't see the error, it looks like you just moved the objectClass=user condition
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Mar 28, 2024 11:14 AM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
I have tried the two filters below:
(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))
(&(objectClass=user)(|(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username})))
But each produce this error on the Filter tab:
However, if I try only this for the filter, the Filter tab works: (&(sAMAccountName=%{Authentication:Username})(objectClass=user))
Or, if I try this filter, the Filter tab works: (&(userPrincipalName=%{Authentication:Username})(objectClass=user))
I don't understand why if I "OR" the two using the pipe, it doesn't work?
Original Message:
Sent: Mar 24, 2024 02:56 AM
From: ariyap
Subject: EAP-TLS authentication method setting - authorization required
see if this answers it
eap-tls-authorization-required
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Mar 22, 2024 12:18 PM
From: codye
Subject: EAP-TLS authentication method setting - authorization required
Would like to verify what this setting is actually checking. Doing my research on this checkbox, I thought this would check if the user account associated with the cert was disabled in AD. However in my testing of a disabled user account, I am still able to fully authenticate (with authZ) with the cert.
In my auth source, when testing the attribute query for this test user, I can see AD is returning that the account is disabled:
I thought havinge the Authorization Required checkbox checked would be enough for the radius request to fail given the user account is disabled. Am I wrong?
Do I need to add additional authZ rules checking for the various userAccoundControl values associated with disabled accounts?