Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Some users don't return memberOf attribute to CPPM

This thread has been viewed 6 times

  • 1.  Some users don't return memberOf attribute to CPPM

    Posted Jul 09, 2014 06:01 PM

    Hi:

    I'm basing my authorization on groups that a user is amember of in AD.

    Most users return the "Authorization:DOMAIN-AD:memberOf" attribute to Clearpass.

     

    But some users fail authentication, and when I look at the authorization attributes of the request, the memberOf attribute isn't there!

    The failed user is a member of groups, but they are not being returned.

     

    Is there any reason that CPPM wouldn't get these attributes for some users?

     

    Thanks,

    Tony

     

     

     

     

     



  • 2.  RE: Some users don't return memberOf attribute to CPPM

    EMPLOYEE
    Posted Jul 09, 2014 06:04 PM

    Some accounts may have had their security settings manually changed in the past and your standard user read account might not have access to read the properties of the account.

     

    You can test this by duplicating your AD authentication source and changing the bind username and password to a domain admin account. If it works with this setting, you're going to want to delegate control to your reader account to be able to see user properties.

     

    http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions

     

     

     



  • 3.  RE: Some users don't return memberOf attribute to CPPM

    Posted Jul 10, 2014 02:45 PM

    The account I'm using to read from AD is a domain admin.



  • 4.  RE: Some users don't return memberOf attribute to CPPM

    EMPLOYEE
    Posted Jul 10, 2014 03:08 PM

    Are you seeing the same issue on other users in that group or is it just spotty? Ive seen issues where certian groups had a special permission that not all admins could read. If its not that then please open a TAC case for someone to look into it. 



  • 5.  RE: Some users don't return memberOf attribute to CPPM

    Posted Jul 10, 2014 04:57 PM

    Hi Troy:

    Thanks for the response.

    It's interesting, because the problems with that particular user seem to have cleared up.

    But today someone tried to login with a domain laptop, and got the wrong policy. CPPM did have the machine name listed in the received attributes, but for some reason, it didn't think it was a domain member.

     

    Intermittent AD issues?

     

    Tony



  • 6.  RE: Some users don't return memberOf attribute to CPPM

    EMPLOYEE
    Posted Jul 10, 2014 06:16 PM

    ClearPass records that a machine is a domain machine when it successfully authenticates with the username host/<machine name>.  It will then cache that status for 24 hours.  If the user or machine authenticates in that 24 hour period of time, the cache timer is reset (renewed) to 24 hours.  If a user does nothing for 24 hours and leaves their machine logged in, it will lose the machine's authentication status and CPPM no longer knows that this is a domain machine.  You can increase the machine authentication cache in CPPM at Administration » Server Manager » Server Configuration> Service Parameters> Policy Server so that it lasts a week, instead of 24 hours to account for user inactivity.

     

    machineauth.png

     

    If in the Access tracker you do not see the [Machine Authenticated] role, that means that CPPM does not think it is a domain machine.  You can fix that by having the user log out, wait a minute and then log back in...



  • 7.  RE: Some users don't return memberOf attribute to CPPM

    Posted Jul 10, 2014 06:39 PM

    Hi Colin:

    Thanks for the info.

    Perhaps that was the souce of my problem.

     

    I will try increasing that timeout.

     

    Thanks,

    Tony