04-27-2015 11:53 AM - edited 04-27-2015 11:57 AM
Short version: Does the AD group type (universal, global or domain local) have any bearing on role derivation in CPPM? User is in a global group "elementary" which is then part of domain local group "Employees". I keep getting failures to authenticate because CPPM does not indicate the user is in "Employees" but AD clearly shows that it is there. The user in question does show up in the groups he is directly added to but not the nested group (in CPPM details). SubTree Search is turned on for the AD authentication source.
I've done this before at a previous job but I had no access to AD at that location. I suspect it doesn't matter but I could be wrong.
04-27-2015 12:01 PM
You should be able to see the contents of Group in access tracker under
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
04-27-2015 12:06 PM
I tried "groups CONTAINS"
This was added to the "Input" -> "Authorization Attributes" when I used groups but still not seeing "Employees" show up.
Authorization:Active Directory:Groups: Elementary, Elementary Teachers
04-27-2015 12:22 PM
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.