Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM - Can you get user account attributes when his device authenticates ?

This thread has been viewed 0 times

  • 1.  CPPM - Can you get user account attributes when his device authenticates ?

    Posted Oct 30, 2017 04:26 AM

    Hi,

     

    Here is the situation:

    - Users authenticate against an LDAP directory

    - Users are assigned to a VLAN (LDAP attribute)

    - Devices authenticate with certs (OnBoraded) and are assigned to the user that enrolled them (Endpoint 'owner' attribute assigned upon OnBoarding)

     

    What I would like is to be able to retrieve the VLAN attribute from the user account when his device authenticates in order to assign the device to the VLAN.

     

    I guess I could add the VLAN attribute to the endpoint upon OnBoarding, but I'm looking for a more dynamic solution.

     

    Any ideas ?

     

    Thanks.



  • 2.  RE: CPPM - Can you get user account attributes when his device authenticates ?

    EMPLOYEE
    Posted Oct 30, 2017 06:06 AM
    Where is the VLAN stored?


  • 3.  RE: CPPM - Can you get user account attributes when his device authenticates ?

    Posted Oct 30, 2017 06:10 AM

    The VLAN is stored on the LDAP user account.



  • 4.  RE: CPPM - Can you get user account attributes when his device authenticates ?

    EMPLOYEE
    Posted Oct 30, 2017 09:48 AM
    Add that attribute to your LDAP authentication source.


  • 5.  RE: CPPM - Can you get user account attributes when his device authenticates ?

    Posted Oct 30, 2017 09:56 AM

    Hi,

     

    I think you misunderstoud my question, sorry if it wasn't clear.

     

    1. Device authenticates using cert

    2. During device authorization phase, we retrieve the "Owner" attribute from the [Endpoint Repository] authorization source (wich corresponds to an LDAP username)

     

    --> 3. We wan't to fetch an attribute from an LDAP account using the username we just retrieved.

     

    To me this isn't possible, since I don't think we can make a call to an authorization source using diffrent credentials than the ones used to authenticate initialy.

     

    But I myabe I'm wrong, or maybe there's a workaround...



  • 6.  RE: CPPM - Can you get user account attributes when his device authenticates ?
    Best Answer

    EMPLOYEE
    Posted Oct 30, 2017 10:25 AM
    1. Duplicate your LDAP authentication source.
    2. Modify the filter to replace %{Authentication:Username} with %{Endpoint:Owner}
    3. Add your custom VLAN attribute
    4. Add this new auth source as an additional authorization source in your service.


  • 7.  RE: CPPM - Can you get user account attributes when his device authenticates ?

    Posted Oct 30, 2017 11:13 AM

    Woo, nifty ! I'll try that, thanks a lot.