Security

Reply
Occasional Contributor II

How can I use generic LDAP as an authorization source in ClearPass?

Hi everyone. I am trying to do a role mapping in ClearPass based on a custom attribute defined in a generic LDAP server. I have added the server as an authentication source with type Generic LDAP and have checked the box to fetch attributes for role mapping. I have also added attributes to the source to pull the info I need for the user. The filter queries are working fine (I think), but when I see an authentication come through, there are no authorization attributes coming from the LDAP server (see screenshots below). Can someone point me in the right direction to get the authorization working on a Generic LDAP server? Thanks.

Guru Elite

Re: How can I use generic LDAP as an authorization source in ClearPass?

Add it as an authorization source to your service instead of an authentication source.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: How can I use generic LDAP as an authorization source in ClearPass?

Thanks, Tim. I have it as an authentication source and an authorization source. See screenshot.SecureService-AuthorizationSources.jpg

Guru Elite

Re: How can I use generic LDAP as an authorization source in ClearPass?

Remove it from your authentication list. In access tracker, you'll see it's hitting that source instead of AD.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: How can I use generic LDAP as an authorization source in ClearPass?

Still no love. And now the user authentication fails as well since the user account lives only in that generic LDAP database.

Guru Elite

Re: How can I use generic LDAP as an authorization source in ClearPass?

Oh sorry. Misread. I thought you were only using LDAP for authorization.

 

In access tracker, I see "Adjunct". Is that coming from the MajorAffiliation attribute?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: How can I use generic LDAP as an authorization source in ClearPass?

This is my role mapping. Currently, faculty and staff live in AD-2012 and students live in IDM. The idea is to apply the role based on the authentication source and the custom attribute called ***majoraffiliation. I have a catchall for IDM mapping the user to the Adjunct role just so I can do CoAs as I test changes.

Occasional Contributor II

Re: How can I use generic LDAP as an authorization source in ClearPass?

SecureService-RoleMapping.jpg

Re: How can I use generic LDAP as an authorization source in ClearPass?

when you have it for authentication and authorization again. have you double checked all spelling and caps? do other attributes show up?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: