Aruba ClearPass – userPrincipalName and samAccountName

Michael McNamara — Sat, 27 Jun 2020 13:53:15 +0000

I’ve recently been standing up a number of virtual Aruba ClearPass appliances to provide 802.1X RADIUS authentication for both wired and wireless clients. If you are using Windows Active Directory as an authentication source, here’s a quick trick to allow your users to authenticate using either the userPrincipalName (email address) or their samAccountName (username). In my current environment, we’re a multi-brand organization with multiple @brand.com email domains where users are more likely to know their email address than their AD username. In it’s default configuration Aruba ClearPass will only authenticate against the username (samAccountName).

Log into Aruba ClearPass and go to the Policy Manager and select Configuration -> Authentication -> Sources and select your Windows Active Directory source – see the example below;

You need to update the filters on the source such as follows.

Original ClearPass Filter Query:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user))

Updated ClearPass Filter Query:
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

And then don’t forget to Save the changes and now you should be good to go!

Cheers!

Palo Alto Networks GlobalProtect VPN – userPrincipalName and samAccountName

Michael McNamara — Sat, 21 Mar 2020 16:51:15 +0000

Here’s a quick note for anyone looking to understand how they can allow either the standard samAccountName (username) or the userPrincipalName (usually the email address) to be used by users when logging into the GlobalProtect VPN client when authenticating against Windows Active Directory via LDAP.

I will assume that you already have basic username authentication working. So this post will outline how you can add the ability for users to use the userPrincipalName as opposed to their samAccountName (username).

Step 1. Assuming you already have an Authentication Profile setup to authenticate usernames (samAccoutName) you’ll need to clone that profile and then update the Login Attribute to “userPrincipalName”.

Step 2. Create an Authentication Sequence that includes both your Authentication Profiles, the original profile along with the profile you created in the step above. In the example below I’m using “auth_ldap”.

Step 3. Update your GlobalProtect Portal Configuration Client Authentication to reference this new Authentication Sequence. Network -> GlobalProtect -> Portals, edit your configuration and update the authentication profile to “auth_ldap”.

Step 4. Update your GlobalProtect Gateway Configuration Client Authentication to reference this new Authentication Sequence. Network -> GlobalProtect -> Gateways, edit your configuration and update authentication profile to “auth_ldap”.

Step 5. Commit your changes.

With that all done you can now test, using either your samAccountName (username) or your userPrincipalName (usually the email address of the user).

Cheers!