Header Only - DO NOT REMOVE - Extreme Networks

NAC ldap integation - userPricipalName


Userlevel 3
We would like to integrate NAC in a Wireless network and want to authenticate users against an Active Directory. The customers users know only their "userPricipalName" (UPN).

If we use the "userPricipalName" as "User Search Attribute" in the LDAP configuration from NAC (version 5.0), we don't get a RADIUS accept. We assume that the NAC is cutting the @ from the UPN. If this is the case there cannot come off a match with the UPN.
Can somebody confirm this behaviour?

And if this is the case, is there a workaround available?

Kind regrads
Christoph

8 replies

Userlevel 2
You should be able to leave the User Search Attribute at samAccountName and still be able to use the UPN for authentication (just tested it). Do you have user to auth mapping set to catch the@UPN pattern? Pattern should be at least *@domain.name where domain.name is what is after the @ sign when you login.
Userlevel 3
Hello Brian,

thanks for your answer.
In our case UPN and sAMAccountName have nothing in common, e.g.:
samAccountName = ABC123
UPN = max@example.de
If we follow your suggestion the NAC will check "max" against the samAccountName. This will not result in a match.

And yes we have configured a pattern *@example.de to redirect the user authentication against the LDAP server.

Kind regrads
Christoph
Userlevel 2
Is there a reason to have those two fields different?

Somebody with knowledge of the inner workings of NAC would have to weigh in to see if that User Search field is really customizable.

A possible work around, would be to do Radius Proxy. Would be good to test and might give you a temporary solution, if the User Search field ends up being a feature request.

Regards,

Brian
Userlevel 2
Brian Anderson wrote:

Is there a reason to have those two fields different?

Somebody with knowledge of the inner workings of NAC would have to weigh in to see if that User Search field is really customizable.

A possible work around, would be to do Radius Proxy. Would be good to test and might give you a temporary solution, if the User Search field ends up being a feature request.

Regards,

Brian

Hi Brian, I have sent this into our NAC group so we should have some enlightenment shortly!
Userlevel 3
I don't no for sure why the AD was set up like this, I think it's the result of some former migrations. Nevertheless, we have no influence and cannot change these fields for several thousand users.

Proxy RADIUS will be a suboptimal solution because we also want to match against other AD attributes. But if there is no other way we will do it...

Kind regrads
Christoph
Hello Christoph,

In answer to your original post, you are correct that NAC always strips off the Domain when doing an LDAP lookup on a user. Unfortunately, there is no current means by which to change this behavior. This could be put forward as a Feature Request for possible future functionality; however, I do not have an immediate means by which to work-around this behavior in an LDAP configuration.

If you do wish to raise this as a Feature Request, this can be started with opening a Services Case by either calling into the GTAC, or via the Case Management Web Portal. If you would submit the request in the Services Case, we can then take it over to a formal Feature Request for possible future functionality, and will relay it to the appropriate Product Manager for review.

Best Regards,

Gregory K. Hayden
Technical Support Specialist
Enterasys, now part of Extreme Networks
+1 603-952-6781
Userlevel 2
Gregory Hayden wrote:

Hello Christoph,

In answer to your original post, you are correct that NAC always strips off the Domain when doing an LDAP lookup on a user. Unfortunately, there is no current means by which to change this behavior. This could be put forward as a Feature Request for possible future functionality; however, I do not have an immediate means by which to work-around this behavior in an LDAP configuration.

If you do wish to raise this as a Feature Request, this can be started with opening a Services Case by either calling into the GTAC, or via the Case Management Web Portal. If you would submit the request in the Services Case, we can then take it over to a formal Feature Request for possible future functionality, and will relay it to the appropriate Product Manager for review.

Best Regards,

Gregory K. Hayden
Technical Support Specialist
Enterasys, now part of Extreme Networks
+1 603-952-6781

Actually, you can submit a feature request right here in the community! I can either change the type of question this is to an "Idea" for you and it will be brought into our Product Development burndown meetings, or you can create a new topic using the topic type as "Idea". This is a great way for us to determine what our customers are looking for in product features, and this gives you the ability to track its progress. Thanks for providing such a detailed answer Greg and if you have addition questions or would like to make this an Idea in our community, please let me know Christoph. Have a great day everyone!
Userlevel 3
Gregory Hayden wrote:

Hello Christoph,

In answer to your original post, you are correct that NAC always strips off the Domain when doing an LDAP lookup on a user. Unfortunately, there is no current means by which to change this behavior. This could be put forward as a Feature Request for possible future functionality; however, I do not have an immediate means by which to work-around this behavior in an LDAP configuration.

If you do wish to raise this as a Feature Request, this can be started with opening a Services Case by either calling into the GTAC, or via the Case Management Web Portal. If you would submit the request in the Services Case, we can then take it over to a formal Feature Request for possible future functionality, and will relay it to the appropriate Product Manager for review.

Best Regards,

Gregory K. Hayden
Technical Support Specialist
Enterasys, now part of Extreme Networks
+1 603-952-6781

thank you, we opened a case.

regards

Reply