Security

Hi All

I have Clearpass 6.7 that is authenticating some users connecting to a VPN solution. I have a small subset of users that require different roles to be assigned so I have added them to the local user repository and added this as an authorization source. I have added a couple of attributes for the users that I use in role mapping, the role mapping policy checks if the account is enabled, checks for the existence of the attribute, and maps the relevant role. Everything works as expected except when I change something, for example if I disable the account and then reconnect, this is not reflected in the role mapping for some time, it's as if it is being cached. I saw the same thing with AD group membership, if a user is added to a group it takes a while for this to be reflected in role mapping, even though I can see they are a member of the group looking at the AD authentication source.
I don't have the "Use cached Roles and Posture attributes from previous sessions" ticked on my enforcement policy and I've tried setting the "policy result cache timeout" to 0.

Any help would be appreciated.

Thanks

Dave

Your auth source does caching as well. e.g for  AD think the default was3600 secs

------------------------------
Alex Sharaz
------------------------------

Original Message:
Sent: Nov 20, 2020 06:53 AM
From: David Gratton
Subject: CPPM Caching Roles

Hi All

I have Clearpass 6.7 that is authenticating some users connecting to a VPN solution. I have a small subset of users that require different roles to be assigned so I have added them to the local user repository and added this as an authorization source. I have added a couple of attributes for the users that I use in role mapping, the role mapping policy checks if the account is enabled, checks for the existence of the attribute, and maps the relevant role. Everything works as expected except when I change something, for example if I disable the account and then reconnect, this is not reflected in the role mapping for some time, it's as if it is being cached. I saw the same thing with AD group membership, if a user is added to a group it takes a while for this to be reflected in role mapping, even though I can see they are a member of the group looking at the AD authentication source.
I don't have the "Use cached Roles and Posture attributes from previous sessions" ticked on my enforcement policy and I've tried setting the "policy result cache timeout" to 0.

Any help would be appreciated.

Thanks

Dave

Thanks, exactly what I was looking for.

------------------------------
David Gratton
------------------------------

Original Message:
Sent: Nov 20, 2020 07:20 AM
From: Alex Sharaz
Subject: CPPM Caching Roles

Your auth source does caching as well. e.g for  AD think the default was3600 secs

------------------------------
Alex Sharaz

Original Message:
Sent: Nov 20, 2020 06:53 AM
From: David Gratton
Subject: CPPM Caching Roles

Hi All

I have Clearpass 6.7 that is authenticating some users connecting to a VPN solution. I have a small subset of users that require different roles to be assigned so I have added them to the local user repository and added this as an authorization source. I have added a couple of attributes for the users that I use in role mapping, the role mapping policy checks if the account is enabled, checks for the existence of the attribute, and maps the relevant role. Everything works as expected except when I change something, for example if I disable the account and then reconnect, this is not reflected in the role mapping for some time, it's as if it is being cached. I saw the same thing with AD group membership, if a user is added to a group it takes a while for this to be reflected in role mapping, even though I can see they are a member of the group looking at the AD authentication source.
I don't have the "Use cached Roles and Posture attributes from previous sessions" ticked on my enforcement policy and I've tried setting the "policy result cache timeout" to 0.

Any help would be appreciated.

Thanks

Dave

A quick followup question. I'm trying to check for the existence of an attribute in the local user repository in my role mapping policy, but when I check access tracker it seems to always say that the attribute exists even when it isn't set for that user, it just shows it with no value under authorization attributes.
Is there a way to check if an attribute in not empty? I've tried "not equals NULL" but that didn't work.

------------------------------
David Gratton
------------------------------

Original Message:
Sent: Nov 20, 2020 10:09 AM
From: David Gratton
Subject: CPPM Caching Roles

Thanks, exactly what I was looking for.

------------------------------
David Gratton

Original Message:
Sent: Nov 20, 2020 07:20 AM
From: Alex Sharaz
Subject: CPPM Caching Roles

Your auth source does caching as well. e.g for  AD think the default was3600 secs

------------------------------
Alex Sharaz

Original Message:
Sent: Nov 20, 2020 06:53 AM
From: David Gratton
Subject: CPPM Caching Roles

Hi All

I have Clearpass 6.7 that is authenticating some users connecting to a VPN solution. I have a small subset of users that require different roles to be assigned so I have added them to the local user repository and added this as an authorization source. I have added a couple of attributes for the users that I use in role mapping, the role mapping policy checks if the account is enabled, checks for the existence of the attribute, and maps the relevant role. Everything works as expected except when I change something, for example if I disable the account and then reconnect, this is not reflected in the role mapping for some time, it's as if it is being cached. I saw the same thing with AD group membership, if a user is added to a group it takes a while for this to be reflected in role mapping, even though I can see they are a member of the group looking at the AD authentication source.
I don't have the "Use cached Roles and Posture attributes from previous sessions" ticked on my enforcement policy and I've tried setting the "policy result cache timeout" to 0.

Any help would be appreciated.

Thanks

Dave

Have you tried the 'EXISTS' operator (instead of 'NOT EQUALS')? Not sure if that will trigger on an empty but existing attribute.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 20, 2020 10:14 AM
From: David Gratton
Subject: CPPM Caching Roles

A quick followup question. I'm trying to check for the existence of an attribute in the local user repository in my role mapping policy, but when I check access tracker it seems to always say that the attribute exists even when it isn't set for that user, it just shows it with no value under authorization attributes.
Is there a way to check if an attribute in not empty? I've tried "not equals NULL" but that didn't work.

------------------------------
David Gratton

Original Message:
Sent: Nov 20, 2020 10:09 AM
From: David Gratton
Subject: CPPM Caching Roles

Thanks, exactly what I was looking for.

------------------------------
David Gratton

Original Message:
Sent: Nov 20, 2020 07:20 AM
From: Alex Sharaz
Subject: CPPM Caching Roles

Your auth source does caching as well. e.g for  AD think the default was3600 secs

------------------------------
Alex Sharaz

Original Message:
Sent: Nov 20, 2020 06:53 AM
From: David Gratton
Subject: CPPM Caching Roles

Hi All

I have Clearpass 6.7 that is authenticating some users connecting to a VPN solution. I have a small subset of users that require different roles to be assigned so I have added them to the local user repository and added this as an authorization source. I have added a couple of attributes for the users that I use in role mapping, the role mapping policy checks if the account is enabled, checks for the existence of the attribute, and maps the relevant role. Everything works as expected except when I change something, for example if I disable the account and then reconnect, this is not reflected in the role mapping for some time, it's as if it is being cached. I saw the same thing with AD group membership, if a user is added to a group it takes a while for this to be reflected in role mapping, even though I can see they are a member of the group looking at the AD authentication source.
I don't have the "Use cached Roles and Posture attributes from previous sessions" ticked on my enforcement policy and I've tried setting the "policy result cache timeout" to 0.

Any help would be appreciated.

Thanks

Dave