Hello,

if I understand correctly, user-information fetch with the Web API from Clearpass should be resolved in an AD Account by AD Query. Also the User Groups would be looked up.

I think the problem lays in the fact that we use UPN (userPrincipalName) as the login on our networks.

If I lookup a user with:

pep s u q usr <username>

PDP: <127.0.0.1, 00000000>; UID: <915a1f11>
==================================================
  Client ID          : <<IP-address>, 00000000>
  Authentication Key : <Unavailable>
  Brute force counter: 0
  Username           : <username>@<suffix>
  Machine name       : <IP-address>
  User groups        : <Unavailable>
  Machine groups     : <Unavailable>
  Compliance         : <Unavailable>
  Identity Role      : <>
  Time to live       : 28830
  Cached time        : 86400
  TTL counter        : 57570
  Time left          : 18094
  Last update time   : Thu Oct  4 13:57:34 2018

pdp m u <username>

Session:  915a1f11
Session UUID:  {<UUID>}
Ip:  <IP-address>
Users:
<username>@<suffix>@<domainname> {2b604b71}
   Groups: -
   Roles: -
   Client Type: Identity Awareness API (Aruba ClearPass Policy Manager)
   Authentication Method: Trust
   Distinguished Name:
   Connect Time: Thu Oct  4 13:57:34 2018
   Next Reauthentication: Thu Oct  4 22:06:31 2018
   Next Connectivity Check: -
   Next Ldap Fetch: -

Packet Tagging Status:  Not Active
Published Gateways:  Local
************************************************************************************

I can see that it is working, but the User Groups aren't fetched.

On the Clearpass side, i set:

"calculate-roles":1,"fetch-user-groups":0,"fetch-machine-groups":0

(as documented by Aruba/HPE)

I read a lot of documentation and think if AD Query is working (it is) and the Web API is giving results, the correlation should be done.

Could it have to do something with the Domain-field in the LDAP Account Unit?

Thanks for any advice and kind regards,

Peter Kruppa

PS We're running R80.20