Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Some users don't return memberOf attribute to CPPM

Hi:

I'm basing my authorization on groups that a user is amember of in AD.

Most users return the "Authorization:DOMAIN-AD:memberOf" attribute to Clearpass.

 

But some users fail authentication, and when I look at the authorization attributes of the request, the memberOf attribute isn't there!

The failed user is a member of groups, but they are not being returned.

 

Is there any reason that CPPM wouldn't get these attributes for some users?

 

Thanks,

Tony

 

 

 

 

 

Guru Elite
Posts: 8,003
Registered: ‎09-08-2010

Re: Some users don't return memberOf attribute to CPPM

[ Edited ]

Some accounts may have had their security settings manually changed in the past and your standard user read account might not have access to read the properties of the account.

 

You can test this by duplicating your AD authentication source and changing the bind username and password to a domain admin account. If it works with this setting, you're going to want to delegate control to your reader account to be able to see user properties.

 

http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions

 

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Some users don't return memberOf attribute to CPPM

The account I'm using to read from AD is a domain admin.

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Some users don't return memberOf attribute to CPPM

Are you seeing the same issue on other users in that group or is it just spotty? Ive seen issues where certian groups had a special permission that not all admins could read. If its not that then please open a TAC case for someone to look into it. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Some users don't return memberOf attribute to CPPM

Hi Troy:

Thanks for the response.

It's interesting, because the problems with that particular user seem to have cleared up.

But today someone tried to login with a domain laptop, and got the wrong policy. CPPM did have the machine name listed in the received attributes, but for some reason, it didn't think it was a domain member.

 

Intermittent AD issues?

 

Tony

Guru Elite
Posts: 20,357
Registered: ‎03-29-2007

Re: Some users don't return memberOf attribute to CPPM

[ Edited ]

ClearPass records that a machine is a domain machine when it successfully authenticates with the username host/<machine name>.  It will then cache that status for 24 hours.  If the user or machine authenticates in that 24 hour period of time, the cache timer is reset (renewed) to 24 hours.  If a user does nothing for 24 hours and leaves their machine logged in, it will lose the machine's authentication status and CPPM no longer knows that this is a domain machine.  You can increase the machine authentication cache in CPPM at Administration » Server Manager » Server Configuration> Service Parameters> Policy Server so that it lasts a week, instead of 24 hours to account for user inactivity.

 

machineauth.png

 

If in the Access tracker you do not see the [Machine Authenticated] role, that means that CPPM does not think it is a domain machine.  You can fix that by having the user log out, wait a minute and then log back in...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Some users don't return memberOf attribute to CPPM

Hi Colin:

Thanks for the info.

Perhaps that was the souce of my problem.

 

I will try increasing that timeout.

 

Thanks,

Tony

Search Airheads
Showing results for 
Search instead for 
Did you mean: