Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

computer account is member of AD-Group

This thread has been viewed 44 times

  • 1.  computer account is member of AD-Group

    Posted Jun 02, 2017 10:04 AM

    I want to create an enforcement policy rule for machine authentication which only permits computer accounts that are members of a certain AD-group.  Does the policy rule use "memberof" or "UserDN" ?

     

    Thanks.



  • 2.  RE: computer account is member of AD-Group

    EMPLOYEE
    Posted Jun 02, 2017 10:10 AM
    memberOf or Groups


  • 3.  RE: computer account is member of AD-Group

    Posted Jun 02, 2017 11:26 AM

    I need more help.

    Using memberOf with machine accounts is not working for me.  However using memberOf for user accounts works perfectly.  

    Is filtering machine accounts based on AD group supported?  

    Is this syntax correct...

     "Authorization:AD-Name:memberOf CONTAINS ad-group-name"

    Thanks.



  • 4.  RE: computer account is member of AD-Group

    EMPLOYEE
    Posted Jun 02, 2017 11:28 AM
    Are you doing a machine authentication?


  • 5.  RE: computer account is member of AD-Group

    Posted Jun 02, 2017 11:38 AM

    Yes, I am doing machine authentication and verfied by access tracker.



  • 6.  RE: computer account is member of AD-Group
    Best Answer

    EMPLOYEE
    Posted Jun 02, 2017 02:04 PM

    Hm. It's working fine for me. Can you post some screenshots of the Summary tab and authorization section of Input?

     

    Screen Shot 2017-06-02 at 2.00.54 PM.png



  • 7.  RE: computer account is member of AD-Group

    Posted Jun 02, 2017 05:06 PM

    Thank-you for doing this testing.  I found it works when I add a "Machine memberOf" filter under my AD source as shown below.

    filtersnip.jpg

    Only then does it provide the machine account information as shown below:

    authsnip.jpg

    If you don't need this added filter then I will explore further.

    Thanks.



  • 8.  RE: computer account is member of AD-Group

    EMPLOYEE
    Posted Jun 02, 2017 05:14 PM
    You should not need that. Can you please share the access tracker logs for the original request (before you made the change)?

    Access Tracker > Click Request > Export


  • 9.  RE: computer account is member of AD-Group

    Posted Jun 06, 2017 06:57 AM

    Indeed it is now working without the extra filter as you noted.

    Thank-you.



  • 10.  RE: computer account is member of AD-Group

    Posted Aug 01, 2018 11:12 AM

    Hey,

     

    could you please share how do you fixed that issue?

    I am facing right now exactly the same problem. I want to do machine authentication but the groups in which my machines are located are not getting recognized. For users "member of" its working perfectly.

     

    Best!

    loveColors

     



  • 11.  RE: computer account is member of AD-Group

    Posted Mar 28, 2019 09:26 AM
      |   view attached

    Hi, i have the same Problem. I don`t see the authorization Tab in Monitoring.



  • 12.  RE: computer account is member of AD-Group

    Posted Apr 01, 2019 01:00 PM

    Make sure the Authorization is enable on the service. Go to 

     

    Service tab / More Options: make sure the Authorization is checked. 



  • 13.  RE: computer account is member of AD-Group

    Posted Aug 23, 2021 10:52 AM
    Hi MortKaye,

    I added "Machine memberOf", and it started working for me as well. Thank you !


    ------------------------------
    Mehmet Sahin
    ------------------------------

    Original Message