AAA, NAC, Guest Access & BYOD

How to extract a specific AD group of a user who belongs to multiple groups?
Requirement:

How to validate a user belongs to a specific group and extract the same group out of multiple?

 

For example:

Consider an AD user being member of the following groups.

Authorization:LAB AD:Groups Administrators, Airwave, ClearPass, Contractor, Test_admin, Users, nsteam
Authorization:LAB AD:memberOf CN=Administrators,CN=Builtin,DC=nslab,DC=com, CN=Airwave,OU=Nested Groups,DC=nslab,DC=com, CN=ClearPass,OU=Nested Groups,DC=nslab,DC=com, CN=Contractor,DC=nslab,DC=com, CN=Test_admin,CN=Users,DC=nslab,DC=com, CN=Users,CN=Builtin,DC=nslab,DC=com, CN=nsteam,DC=nslab,DC=com

 

Let us validate a user from the group "Administrator" and extract the same group and send the group name in radius accounting proxy to an external target. 



Solution:

Add the below search filter in your AD authentication source to validate and filter a specific group.

  • (&(cn=<group name>) (member:1.2.840.113556.1.4.1941:=%{UserDN}))

 

For example, "Administrator" group from AD can be extracted with the below filter.

  • (&(cn=administrator) (member:1.2.840.113556.1.4.1941:=%{UserDN}))

 

Can also use wildcard to filter the group name that starts with admin.

(&(cn=admin*) (member:1.2.840.113556.1.4.1941:=%{UserDN}))

 

More details on the above search filter can be found in https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

 



Configuration:

Add the search filter in the AD authentication source as shown below.

Note: Filter Name and Alias Name can be of your choice. 

 

 



Verification

Filtered group can be viewed in the "Access Tracker" records under "Authorization Attributes" section as shown below.

 

The filtered attribute can be called in an enforcement profile or when you proxy the accounting data to an external target like firewall. 

Please find below the sample configuration to add/call the filtered group in the accounting proxy.

 

The below output from the radius accounting proxy target will confirm the AD group "Administrator" being received. This filter attribute can be used at the firewall end to enforce access policies, if needed.

 

Version history
Revision #:
2 of 2
Last update:
‎12-20-2016 06:20 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.