Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎02-13-2014

Extracting realm from User-Name as a role

Is it possible to use the realm that is sent as a request as part of role mapping or attribute mapping?

 

We have a legacy radius configuration that uses a format of:

 

username@role

 

To determine the specified role that the user is requesting.  This allows an end-user to specify the desired role as part of the request (i.e. user@guest, user@staff).  I could create a separate service/role mapping for every role, but we have about 140 roles that need to be mapped.  Ideally I would like to be able to use a single service/policy that does the equivalent of:

 

1. User authenticates with: $user@$role

2. Authenticate $user

3. If $role in User "Groups" attributes grant access AND return "Class=$role", else Deny

 

Any ideas of how to implement this in a single service?  Thanks.

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: Extracting realm from User-Name as a role

[ Edited ]

Try something like this:

 

enf-domain-map.PNG

 

OR THIS

 

rolemap-domain-map.PNG

 

 

Make sure that you strip the realm in your service otherwise authentication to LDAP or AD will fail.

 

=strip-domain-at.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 7
Registered: ‎02-13-2014

Re: Extracting realm from User-Name as a role

Tim, that is definitely getting me closer to what I'm looking for.  The other part that I need was adding an "AND" clause to the mapping to ensure that the user is also in the group (to prevent student@student from entering student@faculty and getting @faculty access).

 

The new mapping looks something like:

 

(Authorization:ActiveDirectory:Groups EQUALS staff)

AND (Authentication:Full-Username ENDS_WITH @staff)

 

It would be nice if I could replace "staff" with %{realm}, but this is a massive improvement of my initial idea of creating separate services for every role.

 

 

Guru Elite
Posts: 7,847
Registered: ‎09-08-2010

Re: Extracting realm from User-Name as a role

Unfortunately you'd need to create a role map rule for each variation. You still only need one service though.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: