Security

Hi，
       I have a customer who has an authentication requirement.There are two domains in his environment: domain A and domain B. The two domains are in a trust state.
       Each user has a corresponding account in domainA and domainB. When The user uses domainA\XXXXX authentication,After the authentication is successful, CPPM needs to return VLAN X to the controller. When the user uses domainB\XXXXX authentication, after the authentication is successful, CPPM needs to return VLAN Y to the controller.
    I created an authentication service on CPPM, and both domains are used as authentication source and authorization source，The eforment policy configuration is as follows：
      1、
            Authorzaion source:domainB member of contain XXXX
            AND                                                                                                                      ------->     VLAN X
            Authorzaion Source equal DomainA

       2、
            Authorzaion source:domainB  member of contain YYYYY
            AND                                                                                                                      ------->     VLAN Y
            Authorzaion Source equal DomainB

    During the test, I found that when I used domanB\xxx for authentication for the first time, after the authentication was successful, CPPM could successfully return VLAN Y to the controller. When I used domanA\xxx for authentication again, the CPPM still remained Return VLAN Y ，Not the VLAN X.the cache time of the two authentication sources has not been set to 0.
    My question is in an authentication service, can CPPM automatically select the authentication source and the authorization source based on the domain name in the authentication request?How can I set up to meet the customer's authentication requirement？

------------------------------
tan xiaofeng
------------------------------

Hi, I don't know about the dynamic selection but maybe you can try the following:

Use a role mapping where you give a role to the user(userDomainA or userDomainB) based on the domain used in the username and later in the Enforcement policy you can assign the vlan based on that role.

Hope this helps

------------------------------
Ulises Cazares
------------------------------

Original Message:
Sent: Dec 28, 2021 09:45 AM
From: tan xiaofeng
Subject: Dynamic select the authentication source and the authorization source based on the domain name

Hi，
       I have a customer who has an authentication requirement.There are two domains in his environment: domain A and domain B. The two domains are in a trust state.
       Each user has a corresponding account in domainA and domainB. When The user uses domainA\XXXXX authentication,After the authentication is successful, CPPM needs to return VLAN X to the controller. When the user uses domainB\XXXXX authentication, after the authentication is successful, CPPM needs to return VLAN Y to the controller.
    I created an authentication service on CPPM, and both domains are used as authentication source and authorization source，The eforment policy configuration is as follows：
      1、
            Authorzaion source:domainB member of contain XXXX
            AND                                                                                                                      ------->     VLAN X
            Authorzaion Source equal DomainA

       2、
            Authorzaion source:domainB  member of contain YYYYY
            AND                                                                                                                      ------->     VLAN Y
            Authorzaion Source equal DomainB

    During the test, I found that when I used domanB\xxx for authentication for the first time, after the authentication was successful, CPPM could successfully return VLAN Y to the controller. When I used domanA\xxx for authentication again, the CPPM still remained Return VLAN Y ，Not the VLAN X.the cache time of the two authentication sources has not been set to 0.
    My question is in an authentication service, can CPPM automatically select the authentication source and the authorization source based on the domain name in the authentication request?How can I set up to meet the customer's authentication requirement？

------------------------------
tan xiaofeng
------------------------------

I have similar deployment at one of our customer.
We have created two separate services (1 Service for DomainA & 1 Service for DomainB).

For triggering the service we have included Authentication Username Contains DomainA -> Trigger Service A with Policy, Enforcement and Authentication Source Domain. For triggering the service we have included Authentication Username Contains DomainB -> Trigger Service B with Policy, Enforcement and Authentication Source Domain.

It works perfectly :)

------------------------------
Shpat | MVP 2021 | ACEP | ACMP | ACCP | ACDP |
------------------------------

Original Message:
Sent: Dec 28, 2021 09:45 AM
From: tan xiaofeng
Subject: Dynamic select the authentication source and the authorization source based on the domain name

Hi，
       I have a customer who has an authentication requirement.There are two domains in his environment: domain A and domain B. The two domains are in a trust state.
       Each user has a corresponding account in domainA and domainB. When The user uses domainA\XXXXX authentication,After the authentication is successful, CPPM needs to return VLAN X to the controller. When the user uses domainB\XXXXX authentication, after the authentication is successful, CPPM needs to return VLAN Y to the controller.
    I created an authentication service on CPPM, and both domains are used as authentication source and authorization source，The eforment policy configuration is as follows：
      1、
            Authorzaion source:domainB member of contain XXXX
            AND                                                                                                                      ------->     VLAN X
            Authorzaion Source equal DomainA

       2、
            Authorzaion source:domainB  member of contain YYYYY
            AND                                                                                                                      ------->     VLAN Y
            Authorzaion Source equal DomainB

    During the test, I found that when I used domanB\xxx for authentication for the first time, after the authentication was successful, CPPM could successfully return VLAN Y to the controller. When I used domanA\xxx for authentication again, the CPPM still remained Return VLAN Y ，Not the VLAN X.the cache time of the two authentication sources has not been set to 0.
    My question is in an authentication service, can CPPM automatically select the authentication source and the authorization source based on the domain name in the authentication request?How can I set up to meet the customer's authentication requirement？

------------------------------
tan xiaofeng
------------------------------

Great, I am currently implementing it in the same way！

------------------------------
tan xiaofeng
------------------------------

Original Message:
Sent: Dec 29, 2021 08:52 AM
From: Shpat Berzati
Subject: Dynamic select the authentication source and the authorization source based on the domain name

I have similar deployment at one of our customer.
We have created two separate services (1 Service for DomainA & 1 Service for DomainB).

For triggering the service we have included Authentication Username Contains DomainA -> Trigger Service A with Policy, Enforcement and Authentication Source Domain. For triggering the service we have included Authentication Username Contains DomainB -> Trigger Service B with Policy, Enforcement and Authentication Source Domain.

It works perfectly :)

------------------------------
Shpat | MVP 2021 | ACEP | ACMP | ACCP | ACDP |

Original Message:
Sent: Dec 28, 2021 09:45 AM
From: tan xiaofeng
Subject: Dynamic select the authentication source and the authorization source based on the domain name

Hi，
       I have a customer who has an authentication requirement.There are two domains in his environment: domain A and domain B. The two domains are in a trust state.
       Each user has a corresponding account in domainA and domainB. When The user uses domainA\XXXXX authentication,After the authentication is successful, CPPM needs to return VLAN X to the controller. When the user uses domainB\XXXXX authentication, after the authentication is successful, CPPM needs to return VLAN Y to the controller.
    I created an authentication service on CPPM, and both domains are used as authentication source and authorization source，The eforment policy configuration is as follows：
      1、
            Authorzaion source:domainB member of contain XXXX
            AND                                                                                                                      ------->     VLAN X
            Authorzaion Source equal DomainA

       2、
            Authorzaion source:domainB  member of contain YYYYY
            AND                                                                                                                      ------->     VLAN Y
            Authorzaion Source equal DomainB

    During the test, I found that when I used domanB\xxx for authentication for the first time, after the authentication was successful, CPPM could successfully return VLAN Y to the controller. When I used domanA\xxx for authentication again, the CPPM still remained Return VLAN Y ，Not the VLAN X.the cache time of the two authentication sources has not been set to 0.
    My question is in an authentication service, can CPPM automatically select the authentication source and the authorization source based on the domain name in the authentication request?How can I set up to meet the customer's authentication requirement？

------------------------------
tan xiaofeng
------------------------------