Security

Reply
Contributor I
Posts: 29
Registered: ‎05-31-2016

Adding Active Directory Attributes to CPPM Roles

Hi all,

 

I've managed to thoroughly confuse myself with something that I thought was going to be simple.

 

We have some AD joined Mac's, and since they don't do machine authentication, I'm having trouble getting them the right CPPM roles.

 

Rather than manually build a SHL or Endpoint list, I was hoping that I would be able to query the AD operatingSystem attribute and thus intelligently do the role mappings. (Authorization: AD: operatingSystem : contains: Mac)

 

Unfortunately, in the access tracker, I'm not seeing it under authorization attributes or computed attributes, thus, it's not mapping correctly.

 

Am I missing something obvious, or could it be because the RADIUS request is coming through as a user request?

 

Thanks,

--Ben

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Adding Active Directory Attributes to CPPM Roles

Macs CAN do machine authentication.

Since you're doing a user authentication in this case, you won't be able to use computer properties.

You have a few options:
1) use the device registration database built into ClearPass to register them with a certain tag.
2) Set up Mac machine authentication
3) Issue certs to the Macs with a unique property.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 29
Registered: ‎05-31-2016

Re: Adding Active Directory Attributes to CPPM Roles

1.) I was trying to avoid manual (but it'll work)

2.) I am NOT seeing a way to do this, unless you use TLS with certificates (I'm using PEAP)

3.) Arrrrrgh more certificates!!! :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: