Security

What's actually cached for a given AD authentication source?

Is this the "UserDN" information that would include group membership?  Is the actual user authentication credential's cached?


------------------------------
Scott Farrand
------------------------------

CPPM does not store user credentials for external sources.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Apr 19, 2021 10:39 AM
From: Scott Farrand
Subject: Clearpass Active Directory authentication source Cache

What's actually cached for a given AD authentication source?

Is this the "UserDN" information that would include group membership?  Is the actual user authentication credential's cached?


------------------------------
Scott Farrand
------------------------------

I would say it is safe to assume that it is the information that is displayed in Access Tracker for your Authentication source, including Groups/memberOf and other attributes that are pulled from AD.

As mentioned, credentials are not part of that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 19, 2021 10:39 AM
From: Scott Farrand
Subject: Clearpass Active Directory authentication source Cache

What's actually cached for a given AD authentication source?

Is this the "UserDN" information that would include group membership?  Is the actual user authentication credential's cached?


------------------------------
Scott Farrand
------------------------------

My issue wasn't that the credentials were being stored... my issue was that we test primary group membership as part of our login policy, and I'd missed the "Cache Timeout" section of the General tab under Authentication Sources.

I was just trying to figure out why an AD primary group membership change didn't show up quickly in ClearPass.  That Cache Timeout was the reason.

------------------------------
Scott Farrand
------------------------------

Original Message:
Sent: Apr 26, 2021 05:50 AM
From: Herman Robers
Subject: Clearpass Active Directory authentication source Cache

I would say it is safe to assume that it is the information that is displayed in Access Tracker for your Authentication source, including Groups/memberOf and other attributes that are pulled from AD.

As mentioned, credentials are not part of that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 19, 2021 10:39 AM
From: Scott Farrand
Subject: Clearpass Active Directory authentication source Cache

What's actually cached for a given AD authentication source?

Is this the "UserDN" information that would include group membership?  Is the actual user authentication credential's cached?


------------------------------
Scott Farrand
------------------------------