Security

Hi all,
currently I'm in a overall Clearpass PoC with a customer. Now it comes to the config of their guest environment and we discussed how we can use the guest ssid to grant access for employees. The initial idea was to use the employee domain credentials which is very easy to configure. The customer does not like the idea, that employees use any of their domain credentials (passwords) on their private devices. So he came up with the idea to use a different attribute to check for (employee ID, or phone number etc.) 
For example: a employee need to enter his SAMAccount Name and employee ID as a verification. And only if these two attributes match, the user will be logged in.

So my question is now. Is it possible to check a different value as a normal password in the ad as a verification?
Does anyone has a different way to achieve the wishes of my customer?

Hi,

May be you can use an LDAP source (not ad) on your AD and change the password attribute:

I think you also need to select a method of authentification with a cleartext password

Then you can tell your customer you improve the security with dealing with cleartext authentification information on an open SSID...

May be he will reconsider logging with AD account on a httpS page :)

by the way i hope  users don't have access to OWA, becasuse they can log with their AD credentiasl on their personnal device. 

Regards,

Hi all,
currently I'm in a overall Clearpass PoC with a customer. Now it comes to the config of their guest environment and we discussed how we can use the guest ssid to grant access for employees. The initial idea was to use the employee domain credentials which is very easy to configure. The customer does not like the idea, that employees use any of their domain credentials (passwords) on their private devices. So he came up with the idea to use a different attribute to check for (employee ID, or phone number etc.) 
For example: a employee need to enter his SAMAccount Name and employee ID as a verification. And only if these two attributes match, the user will be logged in.

So my question is now. Is it possible to check a different value as a normal password in the ad as a verification?
Does anyone has a different way to achieve the wishes of my customer?

Thanks for your answer. 
Using LDAP source came into my mind as well. But I think thats not suitable because of the unencrypted SSID. My customer isn't (really) afraid of using the AD passwords he's is do not want that the credentials are saved on private owned devices. 

Hi,

May be you can use an LDAP source (not ad) on your AD and change the password attribute:

I think you also need to select a method of authentification with a cleartext password

Then you can tell your customer you improve the security with dealing with cleartext authentification information on an open SSID...

May be he will reconsider logging with AD account on a httpS page :)

by the way i hope  users don't have access to OWA, becasuse they can log with their AD credentiasl on their personnal device. 

Regards,

Hi all,
currently I'm in a overall Clearpass PoC with a customer. Now it comes to the config of their guest environment and we discussed how we can use the guest ssid to grant access for employees. The initial idea was to use the employee domain credentials which is very easy to configure. The customer does not like the idea, that employees use any of their domain credentials (passwords) on their private devices. So he came up with the idea to use a different attribute to check for (employee ID, or phone number etc.) 
For example: a employee need to enter his SAMAccount Name and employee ID as a verification. And only if these two attributes match, the user will be logged in.

So my question is now. Is it possible to check a different value as a normal password in the ad as a verification?
Does anyone has a different way to achieve the wishes of my customer?