Security

 View Only
Back to discussions
Expand all | Collapse all

is this possible with EAP-TLS and CrowdStrike Falcon extension

This thread has been viewed 7 times

  • 1.  is this possible with EAP-TLS and CrowdStrike Falcon extension

    Posted Mar 26, 2026 06:43 AM

    We are using eap-tls for wifi authentication. I am populating Endpoint repository using CrowdStrike Falcon extension. All of our endpoints(hosts) have Falcon installed so Endpoint repository is filled with host attributes. This was pretty easy to setup. In Endpoint repository I have following attributes which are interesting.

    1) hostname (our windows machine cert has CN equal host/@example.com)
    2) serial number (our macos machine cert has CN equal to mac-serial-number@example.com)
    3) Last Login User

    I have created a Falcon Authorization source. The following filter is being used.

    select attributes->>'CrowdStrike Last Login User' as "CrowdStrike Last Login User" FROM tips_endpoints WHERE attributes->>'CrowdStrike Serial Number' = UPPER('%{Authentication:Username}');

    Basically the intention is to retrieve user-id from the Endpoint repository, which I am correctly able to do now. I will describe later why I am extracting the user-id.

    Since the Endpoint repository does not have a Aruba-User-Role or Aruba-User-Vlan which I intend to return in radius-accept, I could manually add these to Endpoint repository and problem is solved. However I would like to avoid adding this info manually if possible. We already have this info present in the form of AD groups in our Active Directory. The purpose of retrieving the user-id earlier is to do a lookup on active directory based on this user-id. This is where I am struggling at the moment. I don't know how to trigger an Active Directory lookup? The clearpass is already joined to domain and we do these looks up successfully for our EAP/PEAP/MSCHAPv2 authentication. For eap-peap our filter looks like following and it works great.

    (&(sAMAccountName=%{Authentication:Username})(objectClass=user))

    As I explained earlier Username in case of eap-tls is either the serial-number of macbook or hostname of windows device. Obviously with this Username, attributes fetched with the above query would not work. Since I have the user-id retrieved from Falcon, I tried the following query but it did not work.

     (&(sAMAccountName=%{Authorization:Falcon:CrowdStrike Last Login User})(objectClass=user))

    The above query was set under authentication source where Active Directory is defined. I am not sure what is the correct way of getting this to work. I am assuming it did not work because the Falcon is defined as a different auth source. Is this even possible what I am trying to do.

    Thanks for looking into this.



    ------------------------------
    NadeemNet
    ------------------------------


  • 2.  RE: is this possible with EAP-TLS and CrowdStrike Falcon extension

    Posted Mar 27, 2026 08:14 AM

    I think you can only use Authentication attributes for Authorization queries. As far as I know, authorization sources are queried 'in parallel' to improve speed, but that means that the Falcon attributes may not be available for that AD query. TAC may provide an authoritative response.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



Related Content