Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

151

152

153

154

155

156

157

158

159

160

Directory Default Filters

Active

Directory

l Authentication: This is the filter used for authentication. The query searches in

objectClass of type

user

. This query finds both user and machine accounts in Active

Directory:

(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))

After a request arrives, Policy Manager populates

%{Authentication:Username}

with the

authenticating user or machine. This filter is also set up to fetch the following attributes

based on this filter query:

n dn (aliased to UserDN): This is an internal attribute that is populated with the user or

machine record’s Distinguished Name (DN)

n department

n title

n company

n memberOf: In Active Directory, this attribute is populated with the groups that the user

or machine belongs to. This is a multi-valued attribute.

n telephoneNumber

n mail

n displayName

n accountExpires

l Group: This is a filter used for retrieving the name of the groups a user or machine

belongs to.

(distinguishedName=%{memberOf})

This query fetches all group records, where the distinguished name is the value returned

by the memberOf variable. The values for the memberOf attribute are fetched by the first

filter (Authentication) described above. The attribute fetched with this filter query is cn,

which is the name of the group

l Machine: This query fetches the machine record in Active Directory.

(&(objectClass=computer)(sAMAccountName=%{Host:Name}$))

%{Host:Name} is populated by Policy Manager with the name of the connecting host (if

available). dNSHostName, operatingSystem and operatingSystemServicePack attributes

are fetched with this filter query.

l Onboard Device Owner: This is the filter for retrieving the name of the owner the onboard

device belongs to. This query finds the user in the Active Directory.

(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))

%{Onboard:Owner} is populated by Policy Manager with the name of the onboarded

user.

l Onboard Device Owner Group: This filter is used for retrieving the name of the group the

onboarded device owner belongs to.

(distinguishedName=%{Onboard memberOf})

This query fetches all group records where the distinguished name is the value returned

by the Onboard memberOf variable. The attribute fetched with this filter query is cn, which

is the name of the Onboard group

Table 64:

AD/LDAP Default Filters Explained

Dell Networking W-ClearPass Policy Manager 6.3 | User Guide Authentication and Authorization | 159