Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass and specific AD group

This thread has been viewed 21 times

  • 1.  Clearpass and specific AD group

    Posted Jan 20, 2017 03:19 AM

    Hi,

     

    I've been trying to configure tacacs with AD authentication this whole week but no success. 

    Can someone tell me, how to authenticate against specific AD group? Now Clearpass is allowing all AD users to log in to network devices. I want that only users in specific AD group are allowed to log in to network devices.

     

    Thank you very much for you help!

     

     



  • 2.  RE: Clearpass and specific AD group

    EMPLOYEE
    Posted Jan 20, 2017 03:37 AM
    Need to post a screen shot of your role mapping and enforcement profile.


  • 3.  RE: Clearpass and specific AD group

    Posted Jan 20, 2017 04:04 AM

    Hi,

     

    how are these settings related what Clearpass is looking from Windows AD?

    All I want is that if user belongs to TACACS group at windows AD it is authenticated, otherwise not.



  • 4.  RE: Clearpass and specific AD group

    EMPLOYEE
    Posted Jan 20, 2017 04:07 AM

    Because in either the role mapping and/or enforcement you need to have a "member belongs to x group" if you share a screen shot then we can tell you if it is setup correctly



  • 5.  RE: Clearpass and specific AD group

    EMPLOYEE
    Posted Jan 20, 2017 04:14 AM

    example

     

    FullSizeRender.jpg

     

    FullSizeRender[1].jpg



  • 6.  RE: Clearpass and specific AD group

    Posted Jan 20, 2017 04:21 AM

    Hi,

     

    mine looks like:

     

    cppm_roles.jpg

     

    cppm_enforcement.jpg

     

    "Tacacs-FullAccess" is the AD group where the allowed users belong to.

     



  • 7.  RE: Clearpass and specific AD group
    Best Answer

    EMPLOYEE
    Posted Jan 20, 2017 04:27 AM
    You don't need to define it in both the role and enforcement. I only do it because I use two separate domains and want to get more granular..

    you also have in your default as an allow, so if the user was just found in AD then you will allow all. That should be like mine where if they don't fit my conditions then it sends a reject.


  • 8.  RE: Clearpass and specific AD group

    Posted Jan 20, 2017 04:44 AM

    Hi,

     

    I switched the default to "Not_allowed" but still all AD users are able to log in to network devices.

     

    cppm_roles2.jpg

     

     



  • 9.  RE: Clearpass and specific AD group

    EMPLOYEE
    Posted Jan 20, 2017 04:46 AM
    You need to just delete the role mapping. Only use enforcement and you need to change the default there


  • 10.  RE: Clearpass and specific AD group

    EMPLOYEE
    Posted Jan 20, 2017 04:49 AM
    Role mapping is essentially and grouping function. It only needs to be used if you want to tag a multiple conditions to one role. Roles are not required.


  • 11.  RE: Clearpass and specific AD group

    Posted Jan 20, 2017 05:14 AM

    Hi,

     

    I removed Roles from usage and setup Enforcement as under:

     

    cppm_enforcement2.jpg

     

    Now the problem is that no one is able to log in to network devices. My authentication Source is:

     

    cppm_auth.jpg

     

    Problem NOT solved!



  • 12.  RE: Clearpass and specific AD group

    EMPLOYEE
    Posted Jan 20, 2017 05:16 AM
    Looks like you added a filter to your AD source. Put that back to the default.


  • 13.  RE: Clearpass and specific AD group
    Best Answer

    EMPLOYEE
    Posted Jan 20, 2017 05:16 AM
    Looks like you added a filter to your AD source. Put that back to the default.


  • 14.  RE: Clearpass and specific AD group

    Posted Jan 20, 2017 05:56 AM

    Hi,

     

    this solved the case. Thank you both for your help!



  • 15.  RE: Clearpass and specific AD group

    Posted Jan 20, 2017 04:14 AM

    Ok so it's not done under the "Authentication" tab? 

    Like "Look users from this specific AD group"?