Security

Hi, is it possible to map roles in clearpas to machines using 802.1X? I have computers in several groups in AD and i want to assign vlans basing on machine group membership (i need to use only machine based authentication).

 

I have tried with role mapping witch condition:

autohorization:Domain Controller | Groups | Equals | computer group name

But it is not working - device always goes to default role.

Are you using groups or OUs ?
Go to Monitoring > Access Tracker and open one of the rejected machine auth logs entries and look at the input tab > authorization attributes

That way you can see what AD attributes ClearPass is able to pickup
Sent from Mail for Windows 10

There is attribute 

Authorization:lab_DC01:UserDN CN=PC01,CN=Computers,DC=lab,DC=local

And it works when i specify this attribute as Group. But i need to authenticate all computers in AD group: CN=lab,OU=Grupy,DC=lab,DC=local. PC01 is in group lab.

 

I can bypass role pammping using condition UserDN | ENDS_WITH | CN=Computers,DC=lab,DC=local but i is important for me to use groups instead of containers.

 

See below
https://community.arubanetworks.com/t5/Security/computer-account-is-member-of-AD-Group/m-p/298173#M31972

Sent from Mail for Windows 10