Security

Reply
Highlighted
Aruba
Posts: 1,641
Registered: ‎04-13-2009

Re: ClearPass Active Directory Authentication Permit/Deny Access


cmwillis wrote:

I found out the issue. It appears that if you're using the memberOf AD attribute on a user that is in two or more AD groups ClearPass only sees the highest priviledge AD group for that user. In other words, if you have exampleUser in Domain Users and Enterprise Admins and your Role Mapping Policy only deals with Domain Users then exampleUser wont get properly mapped until a Role Mapping Poliy deals with Enterprise Admins.


With regards to this comment.    The "primary group" membership of an AD user (as listed on the Member Of tab of an account) does not show up in the memberOf attribute.   This usually means that Domain Users does not show up in the memberOf attribute.    This primary group shows up under the primaryGroupID attribute if you need to use "Domain Users".

 

Your option is to either use a non primary group for role mappings or use the primaryGroupID (EQUALS 513) instead.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,641
Registered: ‎04-13-2009

Re: ClearPass Active Directory Authentication Permit/Deny Access

Found this article here on the Community that explains this.

 

http://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/79

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: