07-02-2016 05:57 AM
I have device registration and a "mydevices" portal setup via a clearpass application service. This all works fine. I am trying to create a group of users who can see/register under multiple roles. I currently have this setup under the service , role mapping as
|(Authorization:[Local User Repository]:Role_Name EQUALS UB_Staff_Reg)||UB_Staff_Reg|
This all works fine. I originally started with userdn equals xxxx. But I expect a long list of users and did not want to have to list them all individually in the role mapping. So I moved to this model which allows me to use the local database to mark a user as able to register other users. I am unhappy with this model as I suspect I might need the local database role_name for somethig else in the future.
what I really need is a way to just have a list of usernames that are in this group. Besides adding an external authorization soure I am not sure how to do this. My second option was to add attributes in the local database that I can query off for this. Attributes are better than the "role_name" as I may use role name for something else. I can add attributes just fine but I can not get my service to do role mapping on them.
I thnk I need to add a filter under sources [local user repository] but am unclear how to do this.
Any ideas how to do this?
07-02-2016 06:10 AM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
07-02-2016 01:26 PM
Tim, I tried that and it did not seem to work. here is what I did. 1. I went to the local user in question and added attribute Reg_Name = UB_Staff_Reg 2. I then went to the service policy under roles and added the rule local user Reg_Name equals UB_Staff_reg - role = UB_Staff_Reg And it did not work. Looking at the access tracker, I never see that attribute in the "authorized attributes or completed attributes" all I see is Authorization:[Local User Repository]:Enabled true Authorization:[Local User Repository]:Role_Name UB_Staff_Reg Which lead me to believe I needed to somehow add that attribute so it shows up as a authorization attribute. Like maybe adding it under the local user database as a filter?