Security

Reply
Contributor I
Posts: 23
Registered: ‎09-17-2012

Authentication source filter versus enforcement profile

If I want to authorize users based on the value of say the memberof attribute in AD, my understanding is I can do this via the filter attributes under auth source or I can write an enforcement rule to check the AD attribute. Assuming I don't need to return a RADIUS attribute to the client based on this value, does it matter which method I use? Is one way more efficient than the other?

 

I tried both ways in testing and it looks like the only difference for a reject  is with the filter method I get a user not found message and with the enforcement method I get "Applied 'Reject' profile".

 

Thanks in advance.

Guru Elite
Posts: 7,854
Registered: ‎09-08-2010

Re: Authentication source filter versus enforcement profile

You may want to use the pre-built groups attribute combined with a role map. Then you can reference the TIPS role in your enforcement.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 23
Registered: ‎09-17-2012

Re: Authentication source filter versus enforcement profile


cappalli wrote:

You may want to use the pre-built groups attribute combined with a role map. Then you can reference the TIPS role in your enforcement.


Is there an advantage to creating a role based on authorization attributes and then interrogating that role in the enforcement versus just interrogating the authorization attribute in the enforcement policy?

Search Airheads
Showing results for 
Search instead for 
Did you mean: