Community Home > Discuss > Technology > Security > LocalUser Attributes as Variables for Enforcement

Security

Reply
MVP
MVP
mharing

LocalUser Attributes as Variables for Enforcement

‎05-15-2017 09:30 AM

I have a customer who wants to have administrative control over how many devices each individual user can use. We are using the LocalUser DB and will be doing user-based authentication. I created an attribute on Local User called "permitted device count". How do I reference that as a variable in Enforcement. 

 

Example:

Authentication: Unique Device Count GREATER THAN {%LocalUser:permitted device count} = Deny Access

 

I've used variables before, but having a hard time with this one.

 

Thanks.

Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Alert a Moderator
Message 1 of 7
752 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: LocalUser Attributes as Variables for Enforcement

‎05-15-2017 09:36 AM

Do you see it available in the LocalUser namespace in an enforcement policy?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 2 of 7
748 Views
Reply
0 Kudos
MVP
MVP
mharing

Re: LocalUser Attributes as Variables for Enforcement

‎05-15-2017 09:38 AM

I have the ability to select it from Name, but need a way to reference the Value configured for each Local User. 

Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Alert a Moderator
Message 3 of 7
745 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: LocalUser Attributes as Variables for Enforcement

‎05-15-2017 09:39 AM

%{LocalUser:attribute}

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 4 of 7
738 Views
Reply
0 Kudos
MVP
MVP
mharing

Re: LocalUser Attributes as Variables for Enforcement

‎05-15-2017 09:53 AM

Tried adding that, but it did not even recognize it. Do I need to make that an Authorization attribute for it to work? 

 

In Access Tracker, under Computed Attributes I see the configured value, but it doesn't appear to be matching or referencing it during the authentication.

 

I have it currently set to 0, but it allowed me access. 

 

Condition is Greater Than = Deny Access.

Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Alert a Moderator
Message 5 of 7
725 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: LocalUser Attributes as Variables for Enforcement

‎05-15-2017 09:59 AM

Try and just use a role map and = to see if you can get it to match.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 6 of 7
722 Views
Reply
0 Kudos
MVP
MVP
mharing

Re: LocalUser Attributes as Variables for Enforcement

‎05-15-2017 10:23 AM

I got it working. I utilized the Authorization of unique-device-count and the value is the variable of Permitted Device Count in Local User. Thanks for your help!

Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Alert a Moderator
Message 7 of 7
706 Views
Reply
0 Kudos
Search Airheads
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium