View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Deep-Nested Active Directory Queries

This thread has been viewed 19 times
  • 1.  Deep-Nested Active Directory Queries

    Posted Sep 30, 2020 03:20 PM

    Hi there,


    I just followed the following instructions, but can't get any data to show on TokenGroups:



    Does anyone has this (nested groups) working?



  • 2.  RE: Deep-Nested Active Directory Queries

    Posted Oct 05, 2020 03:32 PM

    Just tried and it works for me. This tokenGroup thing is reported to perform much better than traditional nested groups which I used before. It was new to me, so good to have a look.


    Did you apply the modified authentication source to the service? And did you do something with the attribute during role-mapping or enforcement? If you don't use/test an attribute, it will not be pulled as there is no change in the decision it's optimized out of your query.


    What I did change in the Authentication source is that I selected the 'as attribute' to get it in the input tab of access tracker:

    Screenshot at Oct 05 21-18-44.pngThen to trigger something I used a simple 'exists' check in the role mapping, but checking the S-number should work as well:

    Screenshot at Oct 05 21-20-50.pngThen in an authentication, I see all the nested group ids:

    Screenshot at Oct 05 21-22-23.pngI created a 3-level group hierarchy: Level 1 with member Level 2 with member Level 3 with my user. In the Nested Groups / tokenGroup, I see the SIDs for all three levels (and other groups the user is member of, like Domain Users):

    S-1-5-21-1532318898-2625386876-3981842600-1114, S-1-5-21-1532318898-2625386876-3981842600-1115, S-1-5-21-1532318898-2625386876-3981842600-1116, S-1-5-21-1532318898-2625386876-3981842600-1609, S-1-5-21-1532318898-2625386876-3981842600-513, S-1-5-32-545


    Ticking the 'as attribute' and testing the retrieved attribute are most likely the issue that you don't see them in Access Tracker.

  • 3.  RE: Deep-Nested Active Directory Queries

    Posted Oct 05, 2020 06:36 PM


    Actually after I opened the topic I did figure out that it does work. But not as I need.

    I must query the groups not with %{Authentication:Username}, but with %{Endpoint:Username}. But the nested query only seem to work only with the %{Authentication:Username}. If I change it to %{Endpoint:username} nothing gets returned.

    Is this somehow hardcoded internally? All my other LDAP queries for the same source work fine with %{Endpoint:Username} except for tokenGroups.


  • 4.  RE: Deep-Nested Active Directory Queries

    Posted Oct 06, 2020 09:49 AM

    I checked, and see the same. Also, the memberOf and Groups fields are present when using Authentication:Username, missing with Endpoint:Username. Most other fields show up, but it looks like group/memberof related is missing.


    When I see the 'show logs' in Access Tracker I do see some 'Failed to construct filter' messages around memberOf. We probably did the same, and I seem to see the same.


    Can you open a case with Aruba support on this? I'm not 100% sure if this is supported/designed, but TAC may be able to assist you regardless. Please share in a PM the ticket number if you feel it may help the TAC engineer speaks with me as I now think to understand the question.


  • 5.  RE: Deep-Nested Active Directory Queries

    Posted Nov 16, 2021 10:23 AM
    Hi Herman,

    I Have a similar issue but only on TACACS services.
    When we use the same groups filter for RADIUS, it is working perfectly fine.
    It looks like the way the LDAP query is constructed for RADIUS different for the TACACS services.

    I have opened a TAC case for this but the answer form engineering that was not very satisfying.
    "I have received an update from engineering team that, As per the defect:CP-XXXX the Token groups are not supported with TACACS in clearpass."

    "This concern is already been raised on the defect: CP-XXXXX  and engineering team informed as "With TACACS, currently tokenGroups, which is an alternative to group membership lookups, is not available. Introducing tokenGroups to TACACS would require code change and this should be raised as feature request" So, it is not documented and addressed a feature request."

    So it looks like the Tokengroup filter is not supported, i have seen this in several releases  6.8, 6.9 and 6.10

    Best Regards
    Dennis Timmermans

    Dennis Timmermans