Security

Reply

Using AD Attributes to authenticate users at one location vs another

I have a deployment where I would like to use a specific AD Attribute to authenticate users at one particular location if their attribute matches a particular number.

Therefore all users having this attribute along with this number are allowed to authenticate at location A and nowhere else.

User's at location B will have the same attribute but with a different number.

The number can be a store #, dealer #, something that identifies which location they belong to.

 

Not too sure how to go about configuring this. We are using EAP-PEAP MSCHAPv2 to authenticate the users. I assume somewhere in the enforcement profile i will be validating against the attribute whether it is exists and checking the value and then how do i go about linking that number to the location?

 

The other thing is that if the attribute contains a specific word let's say 'allow', then this user can authenticate at all the locations.

 

I know this is possible but not too sure how to implement right now.

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite

Re: Using AD Attributes to authenticate users at one location vs another

Create a custom device attribute and add the same value to the NAD entries. So if location A was value 1, then add a custom attribute the NADs in that location with a value of 1.

Then you can just write a two rule policy. One that checks if those two values match. Another that looks for the all value.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Using AD Attributes to authenticate users at one location vs another

thanks now is that method scalable? I have about 200+ sites..

I'll give it a shot.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite

Re: Using AD Attributes to authenticate users at one location vs another

Yes because you already have the NADs defined, you're just adding a single value. Your enforcement policy can be 2 rules total and handle all of those sites.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Using AD Attributes to authenticate users at one location vs another

In our environment, I added the location attribute for all of the devices to take preference over the closer Regional Clearpass. This is a very useful option.

Re: Using AD Attributes to authenticate users at one location vs another

k, thanks.
Let me give this a shot and post back once I do or run into issues
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]

Re: Using AD Attributes to authenticate users at one location vs another

I believe I got it to work.

Took me a while to fully understand what you were saying Tim, it is not that obvious when you are looking at Clearpass from a n00b point of view but I figured it out.

Untitled.png

With these rules, if I modify the NAD to have "national" and my user has 12345, I am denied access, if I change my NAD to 12345, my user can connect.

 

This is blowing my mind for such as simple item.

 

Thanks all.

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite

Re: Using AD Attributes to authenticate users at one location vs another

Your rule would reference the variable for the entry in the device list, not a static value. That allows it to be completely dynamic for each store with only 2 rules.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Using AD Attributes to authenticate users at one location vs another

I just need to make it wildcard based so that I don't have to type in the value manually.
Each location will have a different attribute value so checking against a static value is not going to work for me
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]

Re: Using AD Attributes to authenticate users at one location vs another

Ya trying to make it work currently, no success.

I have it doing something like this
(Authorization: AD (no proxy):physicalDeliveryOfficeName EQUALS %{physicalDeliveryOfficeName})
 AND  (Device:dealer EQUALS %{dealer})

(Authorization: AD (no proxy):physicalDeliveryOfficeName EQUALS %{physicalDeliveryOfficeName})
 AND  (Device:dealer EQUALS national)

Not working yet…will continue to troubleshoot.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: