09-03-2015 07:01 AM
1) I do not have AD as authentication source, only local DB.
2) CA, Machine and Client certificates have been generated by the CA and installed in the client.
3) AD credential have been exported into clearpass local DB with department attribute.
4) The default local DB only grab the role_name and enable/disable, therefore I have created another SQL query (copied from somewhere in this forum) to grab the department attribute.
1) Am I right to untick authorization in TLS for Machine Auth since I do not have access to the AD and I have nothing to check against?
2) I can't get the department attribute for User Auth is it because that I have untick authorization in TLS?
3) I need to tick authorization in TLS for User_Auth so that it will check against the local DB and get the attribute for role mapping?
Generally what I want to achieve is to have both machine and user authentication as well as to grab the department attribute from the local DB. How can it be done?
09-03-2015 07:19 AM
2) Is your custom auth source configured as an authorization source in the service?
3) The TLS authorization is part of the authentication process and is different than overall policy authorization. If you have the custom source as an authorization source, you likely have a bad SQL query.
Is the department name also in the cert as a custom key attribute?
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
09-03-2015 07:53 AM
2) Is your custom auth source configured as an authorization source in the service? - Don't get what you mean but cusom authentication/authorization source but in the service I have selected local DB for both authentication and authorization.
3) The TLS authorization is part of the authentication process and is different than overall policy authorization. If you have the custom source as an authorization source, you likely have a bad SQL query. - So if I selected TLS authorization, what it actually does?
Is the department name also in the cert as a custom key attribute? - Yes
Back to my question: How can I grab the local DB attribute with my current setup? I know I will definitely need the SQL query as well as select the local DB inside authorization service. What else did I miss out? Anything related to compare CN? Is the local DB username = CN? If I enable compare CN in the TLS authorization, will it check against the local DB?
Sorry I am getting confused here. Thanks for the help.