Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Multiple "memberOf" AD Attributes

This thread has been viewed 22 times
  • 1.  Multiple "memberOf" AD Attributes

    Posted Sep 22, 2022 06:43 AM
    Hi All,

    I got a case where I need to extract out the memberOf attribute from Microsoft AD to use it as Authorization rule, but when I query the AD, this object has two memberOf's (shown two rows and every row has different value).

    When checked to AD, this object has multiple 'AD group' under the "memberOf" tab, which means it is member of two OU so-called.
    I tried to alias these two memberOf into separate rule, but only one shows up.
    I don't know how or when this memberOf show as the query return, because for example if one object only has one memberOf or none memberOf, one object to another will have different parameter ID of memberOf, right ? (or how is it exactly, not AD expert)

    When the endpoint authenticates, at the Input attribute @ Access Tracker, I can only see one of it.​

    So anyone knows how to query the exact memberOf we wanted ?

    PS: I am not in charge of the AD, and the customer's AD 99.9% won't change (or we can't change), so we need to find a way.

    (Attached some screenshots)


  • 2.  RE: Multiple "memberOf" AD Attributes

    Posted Sep 22, 2022 07:04 AM
    Hi

    It's normal that you have multiple memberOf  rows. If a user is a member of 20 groups you will have 20 of them.
    In the role mapping or enforcement you should use the condition Contains instead of Equals.
    See the attaches screenshot


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSP, ACEP
    Aranya AB
    ------------------------------



  • 3.  RE: Multiple "memberOf" AD Attributes

    EMPLOYEE
    Posted Sep 22, 2022 07:30 AM
    Or even better, use AD:Group EQUALS groupname, instead of memberOf CONTAINS in your role mapping or enforcement.

    AD:Group EQUALS groupname matches if the user is member of that group.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Multiple "memberOf" AD Attributes

    Posted Oct 16, 2022 05:09 PM
    Hi, thanks for the answer it helps me too.