12-15-2014 01:26 PM
If I want to authorize users based on the value of say the memberof attribute in AD, my understanding is I can do this via the filter attributes under auth source or I can write an enforcement rule to check the AD attribute. Assuming I don't need to return a RADIUS attribute to the client based on this value, does it matter which method I use? Is one way more efficient than the other?
I tried both ways in testing and it looks like the only difference for a reject is with the filter method I get a user not found message and with the enforcement method I get "Applied 'Reject' profile".
Thanks in advance.
12-15-2014 02:13 PM
12-16-2014 06:53 AM
You may want to use the pre-built groups attribute combined with a role map. Then you can reference the TIPS role in your enforcement.
Is there an advantage to creating a role based on authorization attributes and then interrogating that role in the enforcement versus just interrogating the authorization attribute in the enforcement policy?