Security

Reply
Occasional Contributor I

CPPM - Can you get user account attributes when his device authenticates ?

Hi,

 

Here is the situation:

- Users authenticate against an LDAP directory

- Users are assigned to a VLAN (LDAP attribute)

- Devices authenticate with certs (OnBoraded) and are assigned to the user that enrolled them (Endpoint 'owner' attribute assigned upon OnBoarding)

 

What I would like is to be able to retrieve the VLAN attribute from the user account when his device authenticates in order to assign the device to the VLAN.

 

I guess I could add the VLAN attribute to the endpoint upon OnBoarding, but I'm looking for a more dynamic solution.

 

Any ideas ?

 

Thanks.

Guru Elite

Re: CPPM - Can you get user account attributes when his device authenticates ?

Where is the VLAN stored?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: CPPM - Can you get user account attributes when his device authenticates ?

The VLAN is stored on the LDAP user account.

Guru Elite

Re: CPPM - Can you get user account attributes when his device authenticates ?

Add that attribute to your LDAP authentication source.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: CPPM - Can you get user account attributes when his device authenticates ?

Hi,

 

I think you misunderstoud my question, sorry if it wasn't clear.

 

1. Device authenticates using cert

2. During device authorization phase, we retrieve the "Owner" attribute from the [Endpoint Repository] authorization source (wich corresponds to an LDAP username)

 

--> 3. We wan't to fetch an attribute from an LDAP account using the username we just retrieved.

 

To me this isn't possible, since I don't think we can make a call to an authorization source using diffrent credentials than the ones used to authenticate initialy.

 

But I myabe I'm wrong, or maybe there's a workaround...

Guru Elite

Re: CPPM - Can you get user account attributes when his device authenticates ?

  1. Duplicate your LDAP authentication source.
  2. Modify the filter to replace %{Authentication:Username} with %{Endpoint:Owner}
  3. Add your custom VLAN attribute
  4. Add this new auth source as an additional authorization source in your service.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: CPPM - Can you get user account attributes when his device authenticates ?

Woo, nifty ! I'll try that, thanks a lot.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: