Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Contains vs equal clearpass policy Manager

Jump to Best Answer
  • 1.  Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:15 AM

    Hello

    I was budling a rule just now as i was preparing a demo... and i was stuck for a whole 10 minutes

    I got a group in AD which the name is Ingenieria

    So i was building a rule which says  member of EQUALS Ingenieria... it didnt work...

    But as soon as i changed to this CONTAINS it worked...

     

    polciymanager.JPGWhats the difference????

    As far i knew the EQUALS its like that  Equals.. it was looking for a group in Active directory with that same name...

     

    Contains would be a AD group that contains that word Ingenieria...

     

    I am wrong? if so can you guys enligh me with this???

     

    Cheers

    Carlos



  • 2.  RE: Contains vs equal clearpass policy Manager
    Best Answer

    Posted May 16, 2014 10:17 AM

    Equals means it solely contains that single, unique value. Since memberof may have multiple values, you need to use Contains.



  • 3.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:27 AM

    So basically on member of you always have to use contains?You never use Equals?

     

    Cheers

    Carlos



  • 4.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:29 AM
    Yes, I always contains.


  • 5.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:29 AM

    it just that as im referring to a group name  for me it has a single unique value... the only name it has which in this case is Ingenieria...

    Thats why i dont understand...

     

     

    Cheers

    Carlos



  • 6.  RE: Contains vs equal clearpass policy Manager
    Best Answer

    Posted May 16, 2014 10:30 AM

    For memberof...ALWAYS use contains.  EQUALS will never hit as you would need to match on the entire string returned from AD



  • 7.  RE: Contains vs equal clearpass policy Manager

    Posted May 16, 2014 10:55 AM

    Edit.



  • 8.  RE: Contains vs equal clearpass policy Manager

    Posted May 17, 2014 11:14 AM

    For the memberOf, you need to use Contains; if you use the Groups propery, you can use EQUALS:

     

    (Authorization:dc-02.nl:Groups  EQUALS  Domain Admins)

     

    Personally I tend use Groups, instead of memberOf as it makes a more thorough match.



  • 9.  RE: Contains vs equal clearpass policy Manager

    Posted May 20, 2014 10:16 AM

    How is Groups better than memberOf? BTW, for more exact a more exact match, you need to use a fully path with memberOf like

     

    (Authorization:SENSENET Domain:memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu

     

    If you use (Authorization:SENSENET Domain:memberOf  CONTAINS  Staff) it would match any group that contains the string "Staff" and any group in a path that contains "Staff".

     

    What is the behavior of using "Groups EQUALS"?



  • 10.  RE: Contains vs equal clearpass policy Manager

    Posted May 20, 2014 10:32 AM

    In your example, memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu is indeed a complete match.

     

    And that is functionally equal to Groups EQUALS Staff (which is much shorter).

     

    Where lies a possible issue is like in the question where memberOf CONTAINS Ingenieria. In that case, CN=Disabled-Users,OU=Ingeniera,DC=domain,DC=com will match.

     

    Groups EQUALS Ingeniera is exactly what does what is expected in this question; and seems better for overview  to me in most cases. This does not match anything else than the group name Ingeniera.

     

    So I prefer to use the Group EQUALS variant as it better matches the expectations that many users have and for that reason avoids errors.

     

    Herman



  • 11.  RE: Contains vs equal clearpass policy Manager

    Posted 16 days ago
    Herman,

    I know this is a super old thread. In my ClearPass 6.9 I don't seem to pull down a group attribute on authentication to validate the group name equals. Here is what I see to validate against. Any idea if I am missing something to put down the group name? I had an issue where two member of names were similar and contains threw me for a loop when it was put in the wrong policy.

    Thanks!



    ------------------------------
    Christopher Calhoun
    ------------------------------


  • 12.  RE: Contains vs equal clearpass policy Manager

    Posted 15 days ago
    Just add a check on 'Groups EQUALS' and the Groups will (likely) show up in Access Tracker. If attributes are not used during role-mapping or enforcement, they may not be retrieved as a performance optimization.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 13.  RE: Contains vs equal clearpass policy Manager

    Posted 15 days ago
    Makes perfect sense I will give it a try today in my Lab. Will let you know how it goes.

    Thanks,
    Chris

    ------------------------------
    Christopher Calhoun
    ------------------------------



  • 14.  RE: Contains vs equal clearpass policy Manager

    Posted 15 days ago
    Thanks so much Herman. This has plagued me since the beginning of installing ClearPass. I guess I should have asked earlier. Now I can do Equals and not have to worry about similar names in the first applicable selections.
     
    There it is! 



    ------------------------------
    Christopher Calhoun
    ------------------------------