Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Dynamic select the authentication source and the authorization source based on the domain name

This thread has been viewed 15 times
  • 1.  Dynamic select the authentication source and the authorization source based on the domain name

    Posted Dec 28, 2021 09:45 AM
    Hi,
           I have a customer who has an authentication requirement.There are two domains in his environment: domain A and domain B. The two domains are in a trust state.
           Each user has a corresponding account in domainA and domainB. When The user uses domainA\XXXXX authentication,After the authentication is successful, CPPM needs to return VLAN X to the controller. When the user uses domainB\XXXXX authentication, after the authentication is successful, CPPM needs to return VLAN Y to the controller.
        I created an authentication service on CPPM, and both domains are used as authentication source and authorization source,The eforment policy configuration is as follows:
          1、
                Authorzaion source:domainB member of contain XXXX
                AND                                                                                                                      ------->     VLAN X
                Authorzaion Source equal DomainA

           2、
                Authorzaion source:domainB  member of contain YYYYY
                AND                                                                                                                      ------->     VLAN Y
                Authorzaion Source equal DomainB

        During the test, I found that when I used domanB\xxx for authentication for the first time, after the authentication was successful, CPPM could successfully return VLAN Y to the controller. When I used domanA\xxx for authentication again, the CPPM still remained Return VLAN Y ,Not the VLAN X.the cache time of the two authentication sources has not been set to 0.
        My question is in an authentication service, can CPPM automatically select the authentication source and the authorization source based on the domain name in the authentication request?How can I set up to meet the customer's authentication requirement?

    ------------------------------
    tan xiaofeng
    ------------------------------


  • 2.  RE: Dynamic select the authentication source and the authorization source based on the domain name

    Posted Dec 29, 2021 07:42 AM
    Hi, I don't know about the dynamic selection but maybe you can try the following:

    Use a role mapping where you give a role to the user(userDomainA or userDomainB) based on the domain used in the username and later in the Enforcement policy you can assign the vlan based on that role.

    Hope this helps

    ------------------------------
    Ulises Cazares
    ------------------------------



  • 3.  RE: Dynamic select the authentication source and the authorization source based on the domain name

    MVP
    Posted Dec 29, 2021 08:52 AM
    I have similar deployment at one of our customer.
    We have created two separate services (1 Service for DomainA & 1 Service for DomainB).

    For triggering the service we have included Authentication Username Contains DomainA -> Trigger Service A with Policy, Enforcement and Authentication Source Domain. For triggering the service we have included Authentication Username Contains DomainB -> Trigger Service B with Policy, Enforcement and Authentication Source Domain.

    It works perfectly :)

    ------------------------------
    Shpat | MVP 2021 | ACEP | ACMP | ACCP | ACDP |
    ------------------------------



  • 4.  RE: Dynamic select the authentication source and the authorization source based on the domain name

    Posted Dec 30, 2021 05:49 AM
    Great, I am currently implementing it in the same way!

    ------------------------------
    tan xiaofeng
    ------------------------------