Transmit AP Name in Aruba Instant

Having the Wi-Fi infrastructure transmit the AP name is one of those useful things that not everyone knows about. It means that a network engineer can see the system assigned name rather than a BSSID saving valuable troubleshooting time. Each vendor does it in a slightly different, proprietary way that means that it is usually only professional tools that will decode them. Until recently Aruba Instant deployments didn't have this functionality but this changed with release 8.4.0.0. Interestingly there was no mention of this addition in the release notes, however, the CLI reference guide does describe it.

All that is required is to add the command advertise-ap-name to each SSID profile required. Here is an example:

CORP-AP01# conf t
We now support CLI commit model, please type "commit apply" for configuration to take effect.
CORP-AP01 (config) # wlan ssid-profile AyeFi_CORP
CORP-AP01 (SSID Profile "AyeFi_CORP") # advertise-ap-name
CORP-AP01 (SSID Profile "AyeFi_CORP") # end
CORP-AP01# commit apply
committing configuration...
configuration committed.

As a consequence the APs will transmit their name as a VSA in the beacon frame as shown below:

Clearpass Authenticating using userPrincipalName or SAMaccountname

By default new Active Directory authentication sources added to Clearpass are set to check user authentication against samAccountName. As part of an effort to make 802.1x wireless authentications match domain joined machine logins we needed to change to check users against userPrincipalName instead. Some differences between these two are listed below:

samAccountName

historic user login name used pre-Win2k

format is Domain\User

userPrincipalName

used with newer Windows versions

format is username@DomainName.co.uk

Change to the AD Source

The first step is to change the filter that is used by ClearPass to query the AD source. 

This is located here: Auth > Sources > My Source > Attributes, click on Authentication > Configuration, 

Then change Filter Query from:

(&(sAMAccountName=%{Authentication:Username})(objectClass=user)) 

to 

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

as shown here:

This query allows both samAccountName and userPrincipalName to be checked but they will need different ClearPass services as the former would require any domain to be stripped whilst the latter needs the domain to be present. If only UPN is required then the query can be shortened to just:
(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

New Services

Then to implement the change a new service was required above the existing services to handle the users logging in with UPN. Our existing eduroam login is username@domain.ac.uk and thus to match samAccountName the username is stripped out before comparison. However, now using UPN this wouldn't work so a new service was required.

This implements a regular expression on the username that is more specific than for the previous service so will only match usernames in the new format. The existing format will still be matched to the old service for a temporary period of co-existence until all users migrate to the new format. This regular expression is looking for a prefix containing numbers, lower case letters, at least one dot and optionally apostrophes and hyphens.

Beware

One thing to be aware of is that I couldn't get ClearPass to do the authorization part correctly from the AD source following authentication. This is necessary to determine the role that each user should be assigned. It seems that if there are multiple AD sources being queried by Clearpass then this doesn't work.