Security

Reply
Contributor I
Posts: 65
Registered: ‎12-15-2011

computer account is member of AD-Group

I want to create an enforcement policy rule for machine authentication which only permits computer accounts that are members of a certain AD-group.  Does the policy rule use "memberof" or "UserDN" ?

 

Thanks.

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: computer account is member of AD-Group

memberOf or Groups

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 65
Registered: ‎12-15-2011

Re: computer account is member of AD-Group

I need more help.

Using memberOf with machine accounts is not working for me.  However using memberOf for user accounts works perfectly.  

Is filtering machine accounts based on AD group supported?  

Is this syntax correct...

 "Authorization:AD-Name:memberOf CONTAINS ad-group-name"

Thanks.

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: computer account is member of AD-Group

Are you doing a machine authentication?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 65
Registered: ‎12-15-2011

Re: computer account is member of AD-Group

Yes, I am doing machine authentication and verfied by access tracker.

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: computer account is member of AD-Group

Hm. It's working fine for me. Can you post some screenshots of the Summary tab and authorization section of Input?

 

Screen Shot 2017-06-02 at 2.00.54 PM.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 65
Registered: ‎12-15-2011

Re: computer account is member of AD-Group

Thank-you for doing this testing.  I found it works when I add a "Machine memberOf" filter under my AD source as shown below.

filtersnip.jpg

Only then does it provide the machine account information as shown below:

authsnip.jpg

If you don't need this added filter then I will explore further.

Thanks.

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: computer account is member of AD-Group

You should not need that. Can you please share the access tracker logs for the original request (before you made the change)?

Access Tracker > Click Request > Export

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 65
Registered: ‎12-15-2011

Re: computer account is member of AD-Group

Indeed it is now working without the extra filter as you noted.

Thank-you.

Search Airheads
Showing results for 
Search instead for 
Did you mean: