01-29-2013 10:56 AM
I have a group in AD that has a nested group as its members, very usefull when granting application privs.
I wanted to assign this group read only access to ClearPass, but it seems that CP doesn't follow nested groups?
When I looked at the authorization attributes
Authorization:Brandeis Active Directory:memberOf: only shows the primary memberships not the memberships of the nested groups...
Is there a setting I can change to have it show that?
Solved! Go to Solution.
01-29-2013 01:19 PM - edited 08-12-2013 10:56 AM
Attached is a preliminary document on how to configure CPPM for nested groups..
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
02-25-2013 10:20 AM
PM Collin and ask for the same doc he sent me.
It was pretty easy to get it working but the doc was needed to wrap your head around reading into nested groups
08-12-2013 10:58 AM
I just use all of the levels and leaf options for each one so you always catch it.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
02-13-2014 07:54 AM - edited 02-13-2014 11:49 AM
Instead of using the OneLevelUp/Leaf method of searching nested groups is there any reason to not use something like:
for the Groups query? This seems to return all the nested groups in Active Directory.
The resource I used to find this was: http://msdn.microsoft.com/en-us/library/aa746475%2
Edit: This doesn't actually work, I had the query wrong and was allowing access to all groups. It does work if you modify the auth query, but then it's very ackward, i.e.:
If there's a way of retrieving nested memberOf attributes from Active Directory that would be ideal.
11-03-2014 07:11 AM
Seems nested groups still do not work 'our of the box'.
Is there any intention to get this config into ClearPass per default? Is that v2 document still the latest version?
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
05-25-2016 07:55 PM
I was shared an LDAP OID from support and some basic 'n-1' traversal that can deal with this better than the original pdf shared at the top of this thread.
Is this the new gospel way of dealing with this ?