Hello,
if I understand correctly, user-information fetch with the Web API from Clearpass should be resolved in an AD Account by AD Query. Also the User Groups would be looked up.
I think the problem lays in the fact that we use UPN (userPrincipalName) as the login on our networks.
If I lookup a user with:
pep s u q usr <username>
PDP: <127.0.0.1, 00000000>; UID: <915a1f11>
==================================================
Client ID : <<IP-address>, 00000000>
Authentication Key : <Unavailable>
Brute force counter: 0
Username : <username>@<suffix>
Machine name : <IP-address>
User groups : <Unavailable>
Machine groups : <Unavailable>
Compliance : <Unavailable>
Identity Role : <>
Time to live : 28830
Cached time : 86400
TTL counter : 57570
Time left : 18094
Last update time : Thu Oct 4 13:57:34 2018
pdp m u <username>
Session: 915a1f11
Session UUID: {<UUID>}
Ip: <IP-address>
Users:
<username>@<suffix>@<domainname> {2b604b71}
Groups: -
Roles: -
Client Type: Identity Awareness API (Aruba ClearPass Policy Manager)
Authentication Method: Trust
Distinguished Name:
Connect Time: Thu Oct 4 13:57:34 2018
Next Reauthentication: Thu Oct 4 22:06:31 2018
Next Connectivity Check: -
Next Ldap Fetch: -
Packet Tagging Status: Not Active
Published Gateways: Local
************************************************************************************
I can see that it is working, but the User Groups aren't fetched.
On the Clearpass side, i set:
"calculate-roles":1,"fetch-user-groups":0,"fetch-machine-groups":0
(as documented by Aruba/HPE)
I read a lot of documentation and think if AD Query is working (it is) and the Web API is giving results, the correlation should be done.
Could it have to do something with the Domain-field in the LDAP Account Unit?
Thanks for any advice and kind regards,
Peter Kruppa
PS We're running R80.20
