Security

last person joined: 6 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Role mapping in Clear Pass is not working 100%

This thread has been viewed 9 times

  • 1.  Role mapping in Clear Pass is not working 100%

    Posted Feb 12, 2015 06:56 PM

    I setup several roles and created the role mapping policy but only some of them seem to be working. I have a combination of rules that base the role mapping on the first letter of the username and the rest check the OU membership. The OU membership rules seem to be working as expected. It appears to be ignoring the UserDN check. These are all under the same role mapping policy for the service. I have my type set to the AD auth source, the name is set to UserDN, The operator is begins_with and then the value is the first character in the username. Then I have it set to use the appropriate role. It's either getting the default role or skipping over this rule and if it also matches a OU rule it gets that value. I do have it set to match the first rule that applies. Not sure what I am missing. In access tracker it shows they are accepted but again they are getting the wrong role. I looked at the record and I can see the UserDN in the computed attributes section. Code is up to the 6.4 level.



  • 2.  RE: Role mapping in Clear Pass is not working 100%

    EMPLOYEE
    Posted Feb 12, 2015 06:58 PM

    Can you please post a screenshot?

     

    Also, generally speaking, it is best to use a match any for role mapping and then do first match in your enforcement.



  • 3.  RE: Role mapping in Clear Pass is not working 100%

    Posted Feb 12, 2015 07:02 PM

    Here you go. let me know what you think.



  • 4.  RE: Role mapping in Clear Pass is not working 100%
    Best Answer

    EMPLOYEE
    Posted Feb 12, 2015 07:05 PM

    This won't work since all UserDN's begin with "CN="

     

    Change your expression to read:

     

    BEGINS_WITH    CN=E

    BEGINS_WITH    CN=e

     

    etc, etc.



  • 5.  RE: Role mapping in Clear Pass is not working 100%

    Posted Feb 12, 2015 07:08 PM

    Aha, I wondered about that. Thanks sir. I will make those changes and have them test again.



  • 6.  RE: Role mapping in Clear Pass is not working 100%

    Posted Feb 12, 2015 07:15 PM

    One other question. If I have one where the username begins with an e, but they are also a match for one of the OU rules how do I handle that. Is that where I need to change it to match any rule?



  • 7.  RE: Role mapping in Clear Pass is not working 100%

    Posted Feb 15, 2015 08:13 AM

    [edit] sorry i don't quite understand what you say.

     

    do you want to have it match on something or something else. or only have it match on something but not on something else?



  • 8.  RE: Role mapping in Clear Pass is not working 100%

    Posted Feb 15, 2015 08:43 AM

    the list are one long string not separated. i suggest you to use "contains" operand instead and use a more specific word to avoid "buggy" classification.

    the parameter refers to groups in AD, what i do ussually is ask customer to make a more specific folder and link all the users of a group in that new folder to do as i want to.

     

    Ricky.