07-09-2014 03:01 PM
I'm basing my authorization on groups that a user is amember of in AD.
Most users return the "Authorization:DOMAIN-AD:memberOf" attribute to Clearpass.
But some users fail authentication, and when I look at the authorization attributes of the request, the memberOf attribute isn't there!
The failed user is a member of groups, but they are not being returned.
Is there any reason that CPPM wouldn't get these attributes for some users?
07-09-2014 03:03 PM - edited 07-09-2014 03:09 PM
Some accounts may have had their security settings manually changed in the past and your standard user read account might not have access to read the properties of the account.
You can test this by duplicating your AD authentication source and changing the bind username and password to a domain admin account. If it works with this setting, you're going to want to delegate control to your reader account to be able to see user properties.
07-10-2014 12:08 PM
Are you seeing the same issue on other users in that group or is it just spotty? Ive seen issues where certian groups had a special permission that not all admins could read. If its not that then please open a TAC case for someone to look into it.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
07-10-2014 01:57 PM
Thanks for the response.
It's interesting, because the problems with that particular user seem to have cleared up.
But today someone tried to login with a domain laptop, and got the wrong policy. CPPM did have the machine name listed in the received attributes, but for some reason, it didn't think it was a domain member.
Intermittent AD issues?
07-10-2014 03:16 PM - edited 07-10-2014 03:16 PM
ClearPass records that a machine is a domain machine when it successfully authenticates with the username host/<machine name>. It will then cache that status for 24 hours. If the user or machine authenticates in that 24 hour period of time, the cache timer is reset (renewed) to 24 hours. If a user does nothing for 24 hours and leaves their machine logged in, it will lose the machine's authentication status and CPPM no longer knows that this is a domain machine. You can increase the machine authentication cache in CPPM at Administration » Server Manager » Server Configuration> Service Parameters> Policy Server so that it lasts a week, instead of 24 hours to account for user inactivity.
If in the Access tracker you do not see the [Machine Authenticated] role, that means that CPPM does not think it is a domain machine. You can fix that by having the user log out, wait a minute and then log back in...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base