This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC ldap integation - userPricipalName

NAC ldap integation - userPricipalName

Christoph
Contributor

‎12-12-2013 09:36 AM

We would like to integrate NAC in a Wireless network and want to authenticate users against an Active Directory. The customers users know only their "userPricipalName" (UPN).

If we use the "userPricipalName" as "User Search Attribute" in the LDAP configuration from NAC (version 5.0), we don't get a RADIUS accept. We assume that the NAC is cutting the @ from the UPN. If this is the case there cannot come off a match with the UPN.
Can somebody confirm this behaviour?

And if this is the case, is there a workaround available?

Kind regrads
Christoph
0 Kudos
8 REPLIES 8

Gregory_Hayden
New Contributor

‎12-16-2013 03:49 PM

Hello Christoph,

In answer to your original post, you are correct that NAC always strips off the Domain when doing an LDAP lookup on a user. Unfortunately, there is no current means by which to change this behavior. This could be put forward as a Feature Request for possible future functionality; however, I do not have an immediate means by which to work-around this behavior in an LDAP configuration.

If you do wish to raise this as a Feature Request, this can be started with opening a Services Case by either calling into the GTAC, or via the Case Management Web Portal. If you would submit the request in the Services Case, we can then take it over to a formal Feature Request for possible future functionality, and will relay it to the appropriate Product Manager for review.

Best Regards,

Gregory K. Hayden
Technical Support Specialist
Enterasys, now part of Extreme Networks
+1 603-952-6781
0 Kudos

Christoph
Contributor
In response to Gregory_Hayden

‎12-16-2013 03:49 PM

thank you, we opened a case.

regards
0 Kudos

Tamera_Rousseau
New Contributor
In response to Gregory_Hayden

‎12-16-2013 03:49 PM

Actually, you can submit a feature request right here in the community! I can either change the type of question this is to an "Idea" for you and it will be brought into our Product Development burndown meetings, or you can create a new topic using the topic type as "Idea". This is a great way for us to determine what our customers are looking for in product features, and this gives you the ability to track its progress. Thanks for providing such a detailed answer Greg and if you have addition questions or would like to make this an Idea in our community, please let me know Christoph. Have a great day everyone!
0 Kudos

Christoph
Contributor

‎12-13-2013 07:21 AM

I don't no for sure why the AD was set up like this, I think it's the result of some former migrations. Nevertheless, we have no influence and cannot change these fields for several thousand users.

Proxy RADIUS will be a suboptimal solution because we also want to match against other AD attributes. But if there is no other way we will do it...

Kind regrads
Christoph

0 Kudos
GTM-P2G8KFN