Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

LocalUser Attributes as Variables for Enforcement

This thread has been viewed 6 times

  • 1.  LocalUser Attributes as Variables for Enforcement

    MVP
    Posted May 15, 2017 12:30 PM

    I have a customer who wants to have administrative control over how many devices each individual user can use. We are using the LocalUser DB and will be doing user-based authentication. I created an attribute on Local User called "permitted device count". How do I reference that as a variable in Enforcement. 

     

    Example:

    Authentication: Unique Device Count GREATER THAN {%LocalUser:permitted device count} = Deny Access

     

    I've used variables before, but having a hard time with this one.

     

    Thanks.



  • 2.  RE: LocalUser Attributes as Variables for Enforcement

    EMPLOYEE
    Posted May 15, 2017 12:36 PM
    Do you see it available in the LocalUser namespace in an enforcement policy?


  • 3.  RE: LocalUser Attributes as Variables for Enforcement

    MVP
    Posted May 15, 2017 12:38 PM

    I have the ability to select it from Name, but need a way to reference the Value configured for each Local User. 



  • 4.  RE: LocalUser Attributes as Variables for Enforcement
    Best Answer

    EMPLOYEE
    Posted May 15, 2017 12:40 PM
    %{LocalUser:attribute}


  • 5.  RE: LocalUser Attributes as Variables for Enforcement

    MVP
    Posted May 15, 2017 12:53 PM

    Tried adding that, but it did not even recognize it. Do I need to make that an Authorization attribute for it to work? 

     

    In Access Tracker, under Computed Attributes I see the configured value, but it doesn't appear to be matching or referencing it during the authentication.

     

    I have it currently set to 0, but it allowed me access. 

     

    Condition is Greater Than = Deny Access.



  • 6.  RE: LocalUser Attributes as Variables for Enforcement

    EMPLOYEE
    Posted May 15, 2017 01:00 PM
    Try and just use a role map and = to see if you can get it to match.


  • 7.  RE: LocalUser Attributes as Variables for Enforcement

    MVP
    Posted May 15, 2017 01:23 PM

    I got it working. I utilized the Authorization of unique-device-count and the value is the variable of Permitted Device Count in Local User. Thanks for your help!