Security

Reply

LocalUser Attributes as Variables for Enforcement

I have a customer who wants to have administrative control over how many devices each individual user can use. We are using the LocalUser DB and will be doing user-based authentication. I created an attribute on Local User called "permitted device count". How do I reference that as a variable in Enforcement. 

 

Example:

Authentication: Unique Device Count GREATER THAN {%LocalUser:permitted device count} = Deny Access

 

I've used variables before, but having a hard time with this one.

 

Thanks.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: LocalUser Attributes as Variables for Enforcement

Do you see it available in the LocalUser namespace in an enforcement policy?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: LocalUser Attributes as Variables for Enforcement

I have the ability to select it from Name, but need a way to reference the Value configured for each Local User. 


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: LocalUser Attributes as Variables for Enforcement

%{LocalUser:attribute}

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: LocalUser Attributes as Variables for Enforcement

Tried adding that, but it did not even recognize it. Do I need to make that an Authorization attribute for it to work? 

 

In Access Tracker, under Computed Attributes I see the configured value, but it doesn't appear to be matching or referencing it during the authentication.

 

I have it currently set to 0, but it allowed me access. 

 

Condition is Greater Than = Deny Access.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: LocalUser Attributes as Variables for Enforcement

Try and just use a role map and = to see if you can get it to match.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: LocalUser Attributes as Variables for Enforcement

I got it working. I utilized the Authorization of unique-device-count and the value is the variable of Permitted Device Count in Local User. Thanks for your help!


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: