Security

Reply
MVP
Posts: 2,932
Registered: ‎10-25-2011

Contains vs equal clearpass policy Manager

Hello

I was budling a rule just now as i was preparing a demo... and i was stuck for a whole 10 minutes

I got a group in AD which the name is Ingenieria

So i was building a rule which says  member of EQUALS Ingenieria... it didnt work...

But as soon as i changed to this CONTAINS it worked...

 

polciymanager.JPGWhats the difference????

As far i knew the EQUALS its like that  Equals.. it was looking for a group in Active directory with that same name...

 

Contains would be a AD group that contains that word Ingenieria...

 

I am wrong? if so can you guys enligh me with this???

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 8,214
Registered: ‎09-08-2010

Re: Contains vs equal clearpass policy Manager

Equals means it solely contains that single, unique value. Since memberof may have multiple values, you need to use Contains.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 2,932
Registered: ‎10-25-2011

Re: Contains vs equal clearpass policy Manager

So basically on member of you always have to use contains?You never use Equals?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,932
Registered: ‎10-25-2011

Re: Contains vs equal clearpass policy Manager

it just that as im referring to a group name  for me it has a single unique value... the only name it has which in this case is Ingenieria...

Thats why i dont understand...

 

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 8,214
Registered: ‎09-08-2010

Re: Contains vs equal clearpass policy Manager

Yes, I always contains.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Contains vs equal clearpass policy Manager

For memberof...ALWAYS use contains.  EQUALS will never hit as you would need to match on the entire string returned from AD

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 20,600
Registered: ‎03-29-2007

Re: Contains vs equal clearpass policy Manager

[ Edited ]

Edit.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 421
Registered: ‎11-04-2011

Re: Contains vs equal clearpass policy Manager

For the memberOf, you need to use Contains; if you use the Groups propery, you can use EQUALS:

 

(Authorization:dc-02.nl:Groups  EQUALS  Domain Admins)

 

Personally I tend use Groups, instead of memberOf as it makes a more thorough match.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Contributor II
Posts: 139
Registered: ‎05-12-2010

Re: Contains vs equal clearpass policy Manager

How is Groups better than memberOf? BTW, for more exact a more exact match, you need to use a fully path with memberOf like

 

(Authorization:SENSENET Domain:memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu

 

If you use (Authorization:SENSENET Domain:memberOf  CONTAINS  Staff) it would match any group that contains the string "Staff" and any group in a path that contains "Staff".

 

What is the behavior of using "Groups EQUALS"?

Bruce Osborne - Wireless Engineer
ACCP
MVP
Posts: 421
Registered: ‎11-04-2011

Re: Contains vs equal clearpass policy Manager

In your example, memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu is indeed a complete match.

 

And that is functionally equal to Groups EQUALS Staff (which is much shorter).

 

Where lies a possible issue is like in the question where memberOf CONTAINS Ingenieria. In that case, CN=Disabled-Users,OU=Ingeniera,DC=domain,DC=com will match.

 

Groups EQUALS Ingeniera is exactly what does what is expected in this question; and seems better for overview  to me in most cases. This does not match anything else than the group name Ingeniera.

 

So I prefer to use the Group EQUALS variant as it better matches the expectations that many users have and for that reason avoids errors.

 

Herman

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: