Security

Reply
Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Using AD group in cppm service selection

I've created a CPPM service that we use to authenticate onto our comware switches.Part of the service selection is checking if the RADIUS User-Name is a member of a particular group of users. Later on I set up some Roles based upon congtents of a AD group and then apply an enforcement policy if a particular role exists.

 

Probklem is the list of users is getting a bit unweildy in the service selection bit. Is there  any way of checking whether a given User-Name is a member of an AD group at service selection time?

 

A

 

 

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Using AD group in cppm service selection

Unfortunately no. Service categorization happens well before authorization.

 

You could leverage username realms though.

 

You should only need rules that reference the group membership, not usernames individually.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 447
Registered: ‎11-04-2011

Re: Using AD group in cppm service selection

Would it work for you to match all users in the service and after authentication, based on the group membership (roles, device, etc...) return a Deny Access for unauthorized users?

 

That has another benefit, namely that you can put additional actions on unauthorized users trying to get access; like opening helpdesk tickets for a security incident.

 

The information on what you are trying to achieve (the question behind your question) is not fully clear, and please contact your Aruba partner or TAC if you need to discuss how to implement what you really want.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: