09-13-2016 07:23 AM
I've created a CPPM service that we use to authenticate onto our comware switches.Part of the service selection is checking if the RADIUS User-Name is a member of a particular group of users. Later on I set up some Roles based upon congtents of a AD group and then apply an enforcement policy if a particular role exists.
Probklem is the list of users is getting a bit unweildy in the service selection bit. Is there any way of checking whether a given User-Name is a member of an AD group at service selection time?
09-13-2016 07:26 AM
Unfortunately no. Service categorization happens well before authorization.
You could leverage username realms though.
You should only need rules that reference the group membership, not usernames individually.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
09-14-2016 12:35 AM
Would it work for you to match all users in the service and after authentication, based on the group membership (roles, device, etc...) return a Deny Access for unauthorized users?
That has another benefit, namely that you can put additional actions on unauthorized users trying to get access; like opening helpdesk tickets for a security incident.
The information on what you are trying to achieve (the question behind your question) is not fully clear, and please contact your Aruba partner or TAC if you need to discuss how to implement what you really want.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.