Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Caching Roles

Jump to Best Answer
  • 1.  CPPM Caching Roles

    Posted 8 days ago
    Hi All

    I have Clearpass 6.7 that is authenticating some users connecting to a VPN solution. I have a small subset of users that require different roles to be assigned so I have added them to the local user repository and added this as an authorization source. I have added a couple of attributes for the users that I use in role mapping, the role mapping policy checks if the account is enabled, checks for the existence of the attribute, and maps the relevant role. Everything works as expected except when I change something, for example if I disable the account and then reconnect, this is not reflected in the role mapping for some time, it's as if it is being cached. I saw the same thing with AD group membership, if a user is added to a group it takes a while for this to be reflected in role mapping, even though I can see they are a member of the group looking at the AD authentication source.
    I don't have the "Use cached Roles and Posture attributes from previous sessions" ticked on my enforcement policy and I've tried setting the "policy result cache timeout" to 0.

    Any help would be appreciated.

    Thanks

    Dave


  • 2.  RE: CPPM Caching Roles
    Best Answer

    Posted 8 days ago
    Your auth source does caching as well. e.g for  AD think the default was3600 secs

    ------------------------------
    Alex Sharaz
    ------------------------------



  • 3.  RE: CPPM Caching Roles

    Posted 8 days ago
    Thanks, exactly what I was looking for.

    ------------------------------
    David Gratton
    ------------------------------



  • 4.  RE: CPPM Caching Roles

    Posted 8 days ago
    A quick followup question. I'm trying to check for the existence of an attribute in the local user repository in my role mapping policy, but when I check access tracker it seems to always say that the attribute exists even when it isn't set for that user, it just shows it with no value under authorization attributes.
    Is there a way to check if an attribute in not empty? I've tried "not equals NULL" but that didn't work.

    ------------------------------
    David Gratton
    ------------------------------



  • 5.  RE: CPPM Caching Roles

    Posted 5 days ago
    Have you tried the 'EXISTS' operator (instead of 'NOT EQUALS')? Not sure if that will trigger on an empty but existing attribute.


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------