Security

last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Contains vs equal clearpass policy Manager

Jump to Best Answer
  • 1.  Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:15 AM

    Hello

    I was budling a rule just now as i was preparing a demo... and i was stuck for a whole 10 minutes

    I got a group in AD which the name is Ingenieria

    So i was building a rule which says  member of EQUALS Ingenieria... it didnt work...

    But as soon as i changed to this CONTAINS it worked...

     

    polciymanager.JPGWhats the difference????

    As far i knew the EQUALS its like that  Equals.. it was looking for a group in Active directory with that same name...

     

    Contains would be a AD group that contains that word Ingenieria...

     

    I am wrong? if so can you guys enligh me with this???

     

    Cheers

    Carlos



  • 2.  RE: Contains vs equal clearpass policy Manager
    Best Answer

    Posted May 16, 2014 10:17 AM

    Equals means it solely contains that single, unique value. Since memberof may have multiple values, you need to use Contains.



  • 3.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:27 AM

    So basically on member of you always have to use contains?You never use Equals?

     

    Cheers

    Carlos



  • 4.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:29 AM
    Yes, I always contains.


  • 5.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:29 AM

    it just that as im referring to a group name  for me it has a single unique value... the only name it has which in this case is Ingenieria...

    Thats why i dont understand...

     

     

    Cheers

    Carlos



  • 6.  RE: Contains vs equal clearpass policy Manager
    Best Answer

    Posted May 16, 2014 10:30 AM

    For memberof...ALWAYS use contains.  EQUALS will never hit as you would need to match on the entire string returned from AD



  • 7.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:55 AM

    Edit.



  • 8.  RE: Contains vs equal clearpass policy Manager

    Posted May 17, 2014 11:14 AM

    For the memberOf, you need to use Contains; if you use the Groups propery, you can use EQUALS:

     

    (Authorization:dc-02.nl:Groups  EQUALS  Domain Admins)

     

    Personally I tend use Groups, instead of memberOf as it makes a more thorough match.



  • 9.  RE: Contains vs equal clearpass policy Manager

    Posted May 20, 2014 10:16 AM

    How is Groups better than memberOf? BTW, for more exact a more exact match, you need to use a fully path with memberOf like

     

    (Authorization:SENSENET Domain:memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu

     

    If you use (Authorization:SENSENET Domain:memberOf  CONTAINS  Staff) it would match any group that contains the string "Staff" and any group in a path that contains "Staff".

     

    What is the behavior of using "Groups EQUALS"?



  • 10.  RE: Contains vs equal clearpass policy Manager

    Posted May 20, 2014 10:32 AM

    In your example, memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu is indeed a complete match.

     

    And that is functionally equal to Groups EQUALS Staff (which is much shorter).

     

    Where lies a possible issue is like in the question where memberOf CONTAINS Ingenieria. In that case, CN=Disabled-Users,OU=Ingeniera,DC=domain,DC=com will match.

     

    Groups EQUALS Ingeniera is exactly what does what is expected in this question; and seems better for overview  to me in most cases. This does not match anything else than the group name Ingeniera.

     

    So I prefer to use the Group EQUALS variant as it better matches the expectations that many users have and for that reason avoids errors.

     

    Herman