Security

Hi,

I have a MAC Caching service that authenticates againsed AD, looks up a group and maps to a role. gsStaff to [Staff]

I then have an enforcement policy that matches the [Staff] role, updates the endpoint as known, sends a CoA and a custom post authentication profile that adds the authentication username and the roles that were matched to the endpoint attributes.

Type=Endpoint, Name=Username, Value=%{Authentication:Username}

Type=Endpoint, Name=ADtoClearpassRoles, Value=%{Tips:Role}

The issue I'm having is that when modifying the MAC Authentication service mapping rules I attempt to select Type=Endpoint, Name=ADtoClearpassRoles EQUALS but the value is blank and no drop down for the roles within the endpoint attributes are selectable.

In essence I'd like to place MAC Authenticated devices into particular VLANS based on the AD groups from who originally authenticated the device. I'm not too sure if I'm going down the right track.

Can someone point me in the right direction please?

Cheers

Shaun

You should really just stamp the username to the endpoint and evaluate the group membership of this user in real-time. Stamping dynamic data to the endpoint is not generally recommended.

Also, just an FYI, you should try not to use brackets in your profiles/roles/etc. They're reserved for system defaults.

Thanks Tim,

You've put me on the right track and I now have this working.

Cheers

Shaun