https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13038#M442 Actually, you can submit a feature request <B>right here in the community!</B> I can either change the type of question this is to an "Idea" for you and it will be brought into our Product Development burndown meetings, or you can create a new topic using the topic type as "Idea". This is a great way for us to determine what our customers are looking for in product features, and this gives you the ability to track its progress. Thanks for providing such a detailed answer Greg and if you have addition questions or would like to make this an Idea in our community, please let me know Christoph. Have a great day everyone! Mon, 16 Dec 2013 23:49:00 GMT Tamera_Rousseau 2013-12-16T23:49:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13031#M435 We would like to integrate NAC in a Wireless network and want to authenticate users against an Active Directory. The customers users know only their "userPricipalName" (UPN).<BR /> <BR /> If we use the "userPricipalName" as "User Search Attribute" in the LDAP configuration from NAC (version 5.0), we don't get a RADIUS accept. We assume that the NAC is cutting the @<DOMAIN> from the UPN. If this is the case there cannot come off a match with the UPN.<BR /> Can somebody confirm this behaviour?<BR /> <BR /> And if this is the case, is there a workaround available?<BR /> <BR /> Kind regrads<BR /> Christoph<BR /> <BR /></DOMAIN> Thu, 12 Dec 2013 17:36:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13031#M435 Christoph 2013-12-12T17:36:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13032#M436 You should be able to leave the User Search Attribute at samAccountName and still be able to use the UPN for authentication (just tested it). Do you have user to auth mapping set to catch the<B>@UPN</B> pattern? Pattern should be at least *@domain.name where domain.name is what is after the @ sign when you login. Thu, 12 Dec 2013 20:26:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13032#M436 Brian_Anderson3 2013-12-12T20:26:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13033#M437 Hello Brian,<BR /> <BR /> thanks for your answer.<BR /> In our case UPN and sAMAccountName have nothing in common, e.g.:<BR /> samAccountName = ABC123<BR /> UPN = max@example.de<BR /> If we follow your suggestion the NAC will check "max" against the samAccountName. This will not result in a match.<BR /> <BR /> And yes we have configured a pattern *@example.de to redirect the user authentication against the LDAP server.<BR /> <BR /> Kind regrads<BR /> Christoph<BR /> <BR /> Thu, 12 Dec 2013 20:45:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13033#M437 Christoph 2013-12-12T20:45:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13034#M438 Is there a reason to have those two fields different? <BR /> <BR /> Somebody with knowledge of the inner workings of NAC would have to weigh in to see if that User Search field is really customizable. <BR /> <BR /> A possible work around, would be to do Radius Proxy. Would be good to test and might give you a temporary solution, if the User Search field ends up being a feature request. <BR /> <BR /> Regards, <BR /> <BR /> Brian Fri, 13 Dec 2013 01:24:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13034#M438 Brian_Anderson3 2013-12-13T01:24:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13035#M439 Hi Brian, I have sent this into our NAC group so we should have some enlightenment shortly! Fri, 13 Dec 2013 01:24:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13035#M439 Tamera_Rousseau 2013-12-13T01:24:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13036#M440 I don't no for sure why the AD was set up like this, I think it's the result of some former migrations. Nevertheless, we have no influence and cannot change these fields for several thousand users.<BR /> <BR /> Proxy RADIUS will be a suboptimal solution because we also want to match against other AD attributes. But if there is no other way we will do it...<BR /> <BR /> Kind regrads<BR /> Christoph<BR /> <BR /> Fri, 13 Dec 2013 15:21:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13036#M440 Christoph 2013-12-13T15:21:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13037#M441 Hello Christoph,<BR /> <BR /> In answer to your original post, you are correct that NAC always strips off the Domain when doing an LDAP lookup on a user. Unfortunately, there is no current means by which to change this behavior. This could be put forward as a Feature Request for possible future functionality; however, I do not have an immediate means by which to work-around this behavior in an LDAP configuration. <BR /> <BR /> If you do wish to raise this as a Feature Request, this can be started with opening a Services Case by either calling into the GTAC, or via the Case Management Web Portal. If you would submit the request in the Services Case, we can then take it over to a formal Feature Request for possible future functionality, and will relay it to the appropriate Product Manager for review. <BR /> <BR /> Best Regards,<BR /> <BR /> Gregory K. Hayden<BR /> Technical Support Specialist<BR /> Enterasys, now part of Extreme Networks<BR /> +1 603-952-6781<BR /> Mon, 16 Dec 2013 23:49:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13037#M441 Gregory_Hayden 2013-12-16T23:49:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13038#M442 Actually, you can submit a feature request <B>right here in the community!</B> I can either change the type of question this is to an "Idea" for you and it will be brought into our Product Development burndown meetings, or you can create a new topic using the topic type as "Idea". This is a great way for us to determine what our customers are looking for in product features, and this gives you the ability to track its progress. Thanks for providing such a detailed answer Greg and if you have addition questions or would like to make this an Idea in our community, please let me know Christoph. Have a great day everyone! Mon, 16 Dec 2013 23:49:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13038#M442 Tamera_Rousseau 2013-12-16T23:49:00Z https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13039#M443 thank you, we opened a case.<BR /> <BR /> regards<BR /> Mon, 16 Dec 2013 23:49:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/nac-ldap-integation-userpricipalname/m-p/13039#M443 Christoph 2013-12-16T23:49:00Z