Security

Reply
Occasional Contributor I

Endpoint attributes on a web login

Dear All,

 

I would like to update the endpoint with the username of the username of the user that was authenticated.

 

I have ticked "Mark the user’s MAC address as a known endpoint" and I can see the relevant endpointing changin from "UnKnown" to "Known" in the Endpoint DB so I know that the web login is picking up the the correct MAC address and can connect to the endpoint DB correctly.

 

I have then added:

 

username | username

 

in the "Customize attributes stored with the endpoint" in the hope of adding the username from the web login to the username attribute of the endpoint but the attribute never appears...?

 

As far as I can work out the name of field is username (have tried user as well) and have tried combincations of capitals but all to no avail.

 

Am I missing something simple?

 

Cheers,

 

Jaggie

Guru Elite

Re: Endpoint attributes on a web login

Create a new enforcement profile that updates the endpoint and add it to your web login enforcement policy.

 

authentication-username-update.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Endpoint attributes on a web login

Hi Tim,

 

Thats what I thought I would do but the enforcement policy never triggers on the endpoint. I expect this is because the service that the web login triggers is an "Application" and therefore the MAC address is given via URL parameters and therefore only appear in the Application:WebLoginURL:client_id variable and not as Connection:MACAddress or similiar.

 

Does that make sense?

 

Cheers

Guru Elite

Re: Endpoint attributes on a web login

What is this web login being used for? Is it a network device login or
something else?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Endpoint attributes on a web login

It is being used for onboarding.

 

If device connects (MAC-AUTH) and they are in the Endpoint DB (and Known and have a specific custom attribute set) then we will let them on and return the username to the controller from the endpoint attribute.

 

If device is not in the endpoint DB then assume that they are a unknown - get CP and they can decide if they are a guest (self registration or sponsor) or that they are in employee and are redirected to the weblogin in order to auth against an MS Active Directory in order to mark their endpoint as Known assign the speicific custom attributes that are needed.

 

Does that makes sense?

 

Jaggie

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: