Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Local user Authorization attribute

This thread has been viewed 3 times

  • 1.  Local user Authorization attribute

    Posted Jul 02, 2016 08:57 AM

    I have device registration and a "mydevices" portal setup via a clearpass application service.  This all works fine.    I am trying to create a group of users who can see/register under multiple roles.  I currently have this setup under the service , role mapping as

    (Authorization:[Local User Repository]:Role_Name  EQUALS  UB_Staff_Reg)UB_Staff_Reg

     

    This all works fine.   I originally started with userdn equals xxxx.  But I expect a long list of users and did not want to have to list them all individually in the role mapping.   So I moved to this model which allows me to use the local database to mark a user as able to register other users. I am unhappy with this model as I suspect I might need the local database role_name for somethig else in the future.

     

    what I really need is a way to just have a list of usernames that are in this group.   Besides adding an external authorization soure I am not sure how to do this.  My second option was to add attributes in the local database that I can query off for this.  Attributes are better than the "role_name" as I may use role name for something else.   I can add attributes just fine but I can not get my service to do role mapping on them.

     

    I thnk I need to add a filter under sources [local user repository] but am unclear how to do this. 

     

    Any ideas how to do this?



  • 2.  RE: Local user Authorization attribute

    EMPLOYEE
    Posted Jul 02, 2016 09:11 AM
    Yes, it's probably best to add a new attribute for local users. That attribute will then be automatically available under the LocalUser context.


  • 3.  RE: Local user Authorization attribute

    Posted Jul 02, 2016 04:26 PM 
    Tim,


    I tried that and it did not seem to work.  here is what I did.

1. I went to the local user in question and added attribute

Reg_Name	=	UB_Staff_Reg


2. I then went to the service policy under roles and added the rule

local user    Reg_Name   equals    UB_Staff_reg   - role = UB_Staff_Reg



And it did not work.  Looking at the access tracker, I never see that attribute in the "authorized attributes or 
completed attributes"


all I see is

Authorization:[Local User Repository]:Enabled	true
Authorization:[Local User Repository]:Role_Name	UB_Staff_Reg


Which lead me to believe I needed to somehow add that attribute so it shows up as a authorization attribute.  Like maybe 
adding it under the local user database as a filter?