Network Architecture & Design

  • 1.  NAC ldap integation - userPricipalName

    Posted 12-12-2013 09:36
    We would like to integrate NAC in a Wireless network and want to authenticate users against an Active Directory. The customers users know only their "userPricipalName" (UPN).

    If we use the "userPricipalName" as "User Search Attribute" in the LDAP configuration from NAC (version 5.0), we don't get a RADIUS accept. We assume that the NAC is cutting the @


  • 2.  RE: NAC ldap integation - userPricipalName

    Posted 12-12-2013 12:26
    You should be able to leave the User Search Attribute at samAccountName and still be able to use the UPN for authentication (just tested it). Do you have user to auth mapping set to catch the@UPN pattern? Pattern should be at least *@domain.name where domain.name is what is after the @ sign when you login.


  • 3.  RE: NAC ldap integation - userPricipalName

    Posted 12-12-2013 12:45
    Hello Brian,

    thanks for your answer.
    In our case UPN and sAMAccountName have nothing in common, e.g.:
    samAccountName = ABC123
    UPN = max@example.de
    If we follow your suggestion the NAC will check "max" against the samAccountName. This will not result in a match.

    And yes we have configured a pattern *@example.de to redirect the user authentication against the LDAP server.

    Kind regrads
    Christoph



  • 4.  RE: NAC ldap integation - userPricipalName

    Posted 12-12-2013 17:24
    Is there a reason to have those two fields different?

    Somebody with knowledge of the inner workings of NAC would have to weigh in to see if that User Search field is really customizable.

    A possible work around, would be to do Radius Proxy. Would be good to test and might give you a temporary solution, if the User Search field ends up being a feature request.

    Regards,

    Brian


  • 5.  RE: NAC ldap integation - userPricipalName

    Posted 12-12-2013 17:24
    Hi Brian, I have sent this into our NAC group so we should have some enlightenment shortly!


  • 6.  RE: NAC ldap integation - userPricipalName

    Posted 12-13-2013 07:21
    I don't no for sure why the AD was set up like this, I think it's the result of some former migrations. Nevertheless, we have no influence and cannot change these fields for several thousand users.

    Proxy RADIUS will be a suboptimal solution because we also want to match against other AD attributes. But if there is no other way we will do it...

    Kind regrads
    Christoph



  • 7.  RE: NAC ldap integation - userPricipalName

    Posted 12-16-2013 15:49
    Hello Christoph,

    In answer to your original post, you are correct that NAC always strips off the Domain when doing an LDAP lookup on a user. Unfortunately, there is no current means by which to change this behavior. This could be put forward as a Feature Request for possible future functionality; however, I do not have an immediate means by which to work-around this behavior in an LDAP configuration.

    If you do wish to raise this as a Feature Request, this can be started with opening a Services Case by either calling into the GTAC, or via the Case Management Web Portal. If you would submit the request in the Services Case, we can then take it over to a formal Feature Request for possible future functionality, and will relay it to the appropriate Product Manager for review.

    Best Regards,

    Gregory K. Hayden
    Technical Support Specialist
    Enterasys, now part of Extreme Networks
    +1 603-952-6781


  • 8.  RE: NAC ldap integation - userPricipalName

    Posted 12-16-2013 15:49
    Actually, you can submit a feature request right here in the community! I can either change the type of question this is to an "Idea" for you and it will be brought into our Product Development burndown meetings, or you can create a new topic using the topic type as "Idea". This is a great way for us to determine what our customers are looking for in product features, and this gives you the ability to track its progress. Thanks for providing such a detailed answer Greg and if you have addition questions or would like to make this an Idea in our community, please let me know Christoph. Have a great day everyone!


  • 9.  RE: NAC ldap integation - userPricipalName

    Posted 12-16-2013 15:49
    thank you, we opened a case.

    regards