Security

Reply
Occasional Contributor I

How to map access to a specific AD Security Group

I would like to map user access to certain VLANs against membership in specific Microsoft Active Directory Security Groups (e.g. admins).

 

My consultant told me we had to use a generic group search attribute that would pull strings from ALL security groups as well as ALL distribution groups. Obviously this would not pass an audit.

 

Can anyone help with what an LDAP filter/queuy would look like (as an example) to map the authorization to a specific security group?

 

Thanks--

Guru Elite

Re: How to map access to a specific AD Security Group

That's not really how it works. Group is one of the available AD attributes pulled during authorization. You can write a rule to check and see if the user is a member of a certain group using the Group attribute.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: How to map access to a specific AD Security Group

Could you elaborate a bit more or provide example syntax? Thanks
Guru Elite

Re: How to map access to a specific AD Security Group

Screen Shot 2017-10-12 at 10.25.05 AM.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: How to map access to a specific AD Security Group

Got it, so its possible to drill down and make it search for a specific group name or "string" -- right?

 

But, is it possible to restrict that search to security groups only, rather than search fro the string across seucrity and distribution groups?

Guru Elite

Re: How to map access to a specific AD Security Group

Yes, it's an exact match check.

You can also use the memberOf attribute if you want to match on the entire DN of the group.

 

AD stores both security and DLs in the memberOf context, so no, there is really no way to limit it. I can't imagine a DL and security group would have the same name.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: