Tuesday 5 May 2020

Clearpass Authenticating using userPrincipalName or SAMaccountname

By default new Active Directory authentication sources added to Clearpass are set to check user authentication against samAccountName. As part of an effort to make 802.1x wireless authentications match domain joined machine logins we needed to change to check users against userPrincipalName instead. Some differences between these two are listed below:

samAccountName
  • historic user login name used pre-Win2k
  • format is Domain\User


    •  userPrincipalName
  • used with newer Windows versions
  • format is username@DomainName.co.uk

    • Change to the AD Source

    The first step is to change the filter that is used by ClearPass to query the AD source. 
    This is located here: Auth > Sources > My Source > Attributes, click on Authentication > Configuration, 
    Then change Filter Query from:
    (&(sAMAccountName=%{Authentication:Username})(objectClass=user)) 
    to 
    (|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))
    as shown here:
    This query allows both samAccountName and userPrincipalName to be checked but they will need different ClearPass services as the former would require any domain to be stripped whilst the latter needs the domain to be present. If only UPN is required then the query can be shortened to just:
    (&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

    New Services

    Then to implement the change a new service was required above the existing services to handle the users logging in with UPN. Our existing eduroam login is username@domain.ac.uk and thus to match samAccountName the username is stripped out before comparison. However, now using UPN this wouldn't work so a new service was required.
    This implements a regular expression on the username that is more specific than for the previous service so will only match usernames in the new format. The existing format will still be matched to the old service for a temporary period of co-existence until all users migrate to the new format. This regular expression is looking for a prefix containing numbers, lower case letters, at least one dot and optionally apostrophes and hyphens.

    Beware

    One thing to be aware of is that I couldn't get ClearPass to do the authorization part correctly from the AD source following authentication. This is necessary to determine the role that each user should be assigned. It seems that if there are multiple AD sources being queried by Clearpass then this doesn't work.
    at
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Emoji Wi-Fi on Cisco C9800 Catalyst

    A nice feature for some situations is to use an Emoji SSID instead of a plain text SSID. Many Wi-Fi controllers support this by allowing cut...