Security

Reply
Contributor II
Posts: 50
Registered: ‎04-13-2009

Role mapping in Clear Pass is not working 100%

I setup several roles and created the role mapping policy but only some of them seem to be working. I have a combination of rules that base the role mapping on the first letter of the username and the rest check the OU membership. The OU membership rules seem to be working as expected. It appears to be ignoring the UserDN check. These are all under the same role mapping policy for the service. I have my type set to the AD auth source, the name is set to UserDN, The operator is begins_with and then the value is the first character in the username. Then I have it set to use the appropriate role. It's either getting the default role or skipping over this rule and if it also matches a OU rule it gets that value. I do have it set to match the first rule that applies. Not sure what I am missing. In access tracker it shows they are accepted but again they are getting the wrong role. I looked at the record and I can see the UserDN in the computed attributes section. Code is up to the 6.4 level.

Guru Elite
Posts: 8,732
Registered: ‎09-08-2010

Re: Role mapping in Clear Pass is not working 100%

Can you please post a screenshot?

 

Also, generally speaking, it is best to use a match any for role mapping and then do first match in your enforcement.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 50
Registered: ‎04-13-2009

Re: Role mapping in Clear Pass is not working 100%

Guru Elite
Posts: 8,732
Registered: ‎09-08-2010

Re: Role mapping in Clear Pass is not working 100%

This won't work since all UserDN's begin with "CN="

 

Change your expression to read:

 

BEGINS_WITH    CN=E

BEGINS_WITH    CN=e

 

etc, etc.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 50
Registered: ‎04-13-2009

Re: Role mapping in Clear Pass is not working 100%

Aha, I wondered about that. Thanks sir. I will make those changes and have them test again.

Contributor II
Posts: 50
Registered: ‎04-13-2009

Re: Role mapping in Clear Pass is not working 100%

One other question. If I have one where the username begins with an e, but they are also a match for one of the OU rules how do I handle that. Is that where I need to change it to match any rule?

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Role mapping in Clear Pass is not working 100%

[ Edited ]

[edit] sorry i don't quite understand what you say.

 

do you want to have it match on something or something else. or only have it match on something but not on something else?

Frequent Contributor II
Posts: 111
Registered: ‎03-18-2013

Re: Role mapping in Clear Pass is not working 100%

the list are one long string not separated. i suggest you to use "contains" operand instead and use a more specific word to avoid "buggy" classification.

the parameter refers to groups in AD, what i do ussually is ask customer to make a more specific folder and link all the users of a group in that new folder to do as i want to.

 

Ricky.

Ricky E. Lee
CWNA | ACMP | ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: