Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Local user Authorization attribute

I have device registration and a "mydevices" portal setup via a clearpass application service.  This all works fine.    I am trying to create a group of users who can see/register under multiple roles.  I currently have this setup under the service , role mapping as

(Authorization:[Local User Repository]:Role_Name  EQUALS  UB_Staff_Reg)UB_Staff_Reg

 

This all works fine.   I originally started with userdn equals xxxx.  But I expect a long list of users and did not want to have to list them all individually in the role mapping.   So I moved to this model which allows me to use the local database to mark a user as able to register other users. I am unhappy with this model as I suspect I might need the local database role_name for somethig else in the future.

 

what I really need is a way to just have a list of usernames that are in this group.   Besides adding an external authorization soure I am not sure how to do this.  My second option was to add attributes in the local database that I can query off for this.  Attributes are better than the "role_name" as I may use role name for something else.   I can add attributes just fine but I can not get my service to do role mapping on them.

 

I thnk I need to add a filter under sources [local user repository] but am unclear how to do this. 

 

Any ideas how to do this?

Guru Elite
Posts: 8,011
Registered: ‎09-08-2010

Re: Local user Authorization attribute

Yes, it's probably best to add a new attribute for local users. That attribute will then be automatically available under the LocalUser context.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Re: Local user Authorization attribute

Tim,


    I tried that and it did not seem to work.  here is what I did.

1. I went to the local user in question and added attribute

Reg_Name	=	UB_Staff_Reg


2. I then went to the service policy under roles and added the rule

local user    Reg_Name   equals    UB_Staff_reg   - role = UB_Staff_Reg



And it did not work.  Looking at the access tracker, I never see that attribute in the "authorized attributes or 
completed attributes"


all I see is

Authorization:[Local User Repository]:Enabled	true
Authorization:[Local User Repository]:Role_Name	UB_Staff_Reg


Which lead me to believe I needed to somehow add that attribute so it shows up as a authorization attribute.  Like maybe 
adding it under the local user database as a filter?
Search Airheads
Showing results for 
Search instead for 
Did you mean: