Security

Hi All,

I got a case where I need to extract out the memberOf attribute from Microsoft AD to use it as Authorization rule, but when I query the AD, this object has two memberOf's (shown two rows and every row has different value).

When checked to AD, this object has multiple 'AD group' under the "memberOf" tab, which means it is member of two OU so-called.
I tried to alias these two memberOf into separate rule, but only one shows up.
I don't know how or when this memberOf show as the query return, because for example if one object only has one memberOf or none memberOf, one object to another will have different parameter ID of memberOf, right ? (or how is it exactly, not AD expert)

When the endpoint authenticates, at the Input attribute @ Access Tracker, I can only see one of it.​

So anyone knows how to query the exact memberOf we wanted ?

PS: I am not in charge of the AD, and the customer's AD 99.9% won't change (or we can't change), so we need to find a way.

(Attached some screenshots)

Hi

It's normal that you have multiple memberOf  rows. If a user is a member of 20 groups you will have 20 of them.
In the role mapping or enforcement you should use the condition Contains instead of Equals.
See the attaches screenshot


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP
Aranya AB
------------------------------

Original Message:
Sent: Sep 22, 2022 06:43 AM
From: BERNHARD HUSTOMO
Subject: Multiple "memberOf" AD Attributes

Hi All,

I got a case where I need to extract out the memberOf attribute from Microsoft AD to use it as Authorization rule, but when I query the AD, this object has two memberOf's (shown two rows and every row has different value).

When checked to AD, this object has multiple 'AD group' under the "memberOf" tab, which means it is member of two OU so-called.
I tried to alias these two memberOf into separate rule, but only one shows up.
I don't know how or when this memberOf show as the query return, because for example if one object only has one memberOf or none memberOf, one object to another will have different parameter ID of memberOf, right ? (or how is it exactly, not AD expert)

When the endpoint authenticates, at the Input attribute @ Access Tracker, I can only see one of it.​

So anyone knows how to query the exact memberOf we wanted ?

PS: I am not in charge of the AD, and the customer's AD 99.9% won't change (or we can't change), so we need to find a way.

(Attached some screenshots)

Or even better, use AD:Group EQUALS groupname, instead of memberOf CONTAINS in your role mapping or enforcement.

AD:Group EQUALS groupname matches if the user is member of that group.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 22, 2022 07:03 AM
From: Jonas Hammarback
Subject: Multiple "memberOf" AD Attributes

Hi

It's normal that you have multiple memberOf  rows. If a user is a member of 20 groups you will have 20 of them.
In the role mapping or enforcement you should use the condition Contains instead of Equals.
See the attaches screenshot


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP
Aranya AB

Original Message:
Sent: Sep 22, 2022 06:43 AM
From: BERNHARD HUSTOMO
Subject: Multiple "memberOf" AD Attributes

Hi All,

I got a case where I need to extract out the memberOf attribute from Microsoft AD to use it as Authorization rule, but when I query the AD, this object has two memberOf's (shown two rows and every row has different value).

When checked to AD, this object has multiple 'AD group' under the "memberOf" tab, which means it is member of two OU so-called.
I tried to alias these two memberOf into separate rule, but only one shows up.
I don't know how or when this memberOf show as the query return, because for example if one object only has one memberOf or none memberOf, one object to another will have different parameter ID of memberOf, right ? (or how is it exactly, not AD expert)

When the endpoint authenticates, at the Input attribute @ Access Tracker, I can only see one of it.​

So anyone knows how to query the exact memberOf we wanted ?

PS: I am not in charge of the AD, and the customer's AD 99.9% won't change (or we can't change), so we need to find a way.

(Attached some screenshots)

Hi, thanks for the answer it helps me too.
Original Message:
Sent: Sep 22, 2022 07:30 AM
From: Herman Robers
Subject: Multiple "memberOf" AD Attributes

Or even better, use AD:Group EQUALS groupname, instead of memberOf CONTAINS in your role mapping or enforcement.

AD:Group EQUALS groupname matches if the user is member of that group.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 22, 2022 07:03 AM
From: Jonas Hammarback
Subject: Multiple "memberOf" AD Attributes

Hi

It's normal that you have multiple memberOf  rows. If a user is a member of 20 groups you will have 20 of them.
In the role mapping or enforcement you should use the condition Contains instead of Equals.
See the attaches screenshot


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP
Aranya AB

Original Message:
Sent: Sep 22, 2022 06:43 AM
From: BERNHARD HUSTOMO
Subject: Multiple "memberOf" AD Attributes

Hi All,

I got a case where I need to extract out the memberOf attribute from Microsoft AD to use it as Authorization rule, but when I query the AD, this object has two memberOf's (shown two rows and every row has different value).

When checked to AD, this object has multiple 'AD group' under the "memberOf" tab, which means it is member of two OU so-called.
I tried to alias these two memberOf into separate rule, but only one shows up.
I don't know how or when this memberOf show as the query return, because for example if one object only has one memberOf or none memberOf, one object to another will have different parameter ID of memberOf, right ? (or how is it exactly, not AD expert)

When the endpoint authenticates, at the Input attribute @ Access Tracker, I can only see one of it.​

So anyone knows how to query the exact memberOf we wanted ?

PS: I am not in charge of the AD, and the customer's AD 99.9% won't change (or we can't change), so we need to find a way.

(Attached some screenshots)

Yes but what if you have multiple AD Groups and you need to match against each of them?

this is a scenario if a client has multiple ad groups that where the result is to be the same. It's not a problem if you only match this because the role mappings policy can be set to match any, but not the enforcement policy that only can match all. So in a scanarie group selection is a problem if you want to match if a user has a certain role and is member of either of 5 possible groups.

Original Message:
Sent: Sep 22, 2022 07:30 AM
From: Herman Robers
Subject: Multiple "memberOf" AD Attributes

Or even better, use AD:Group EQUALS groupname, instead of memberOf CONTAINS in your role mapping or enforcement.

AD:Group EQUALS groupname matches if the user is member of that group.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 22, 2022 07:03 AM
From: Jonas Hammarback
Subject: Multiple "memberOf" AD Attributes

Hi

It's normal that you have multiple memberOf  rows. If a user is a member of 20 groups you will have 20 of them.
In the role mapping or enforcement you should use the condition Contains instead of Equals.
See the attaches screenshot


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP
Aranya AB

Original Message:
Sent: Sep 22, 2022 06:43 AM
From: BERNHARD HUSTOMO
Subject: Multiple "memberOf" AD Attributes

Hi All,

I got a case where I need to extract out the memberOf attribute from Microsoft AD to use it as Authorization rule, but when I query the AD, this object has two memberOf's (shown two rows and every row has different value).

When checked to AD, this object has multiple 'AD group' under the "memberOf" tab, which means it is member of two OU so-called.
I tried to alias these two memberOf into separate rule, but only one shows up.
I don't know how or when this memberOf show as the query return, because for example if one object only has one memberOf or none memberOf, one object to another will have different parameter ID of memberOf, right ? (or how is it exactly, not AD expert)

When the endpoint authenticates, at the Input attribute @ Access Tracker, I can only see one of it.​

So anyone knows how to query the exact memberOf we wanted ?

PS: I am not in charge of the AD, and the customer's AD 99.9% won't change (or we can't change), so we need to find a way.

(Attached some screenshots)

Hello,

no thats not correct.
You can set the Enforcement Policy to "Select first match" or "Select all matches".
A single enforcement policy rule will match all its conditions.
If you want to fail through, the first rule must be configured more specific than the second rule.
Like you do it for example with top down firewall rulesets.
In my opinion, first match is the most common choice at the policy page.

Possibility one:

Select first match at role mapping.
Create two role matching rules.
Configure the rule to ANY matches, or to ALL if you want to combine conditions to a result.
Rule 1
Condition: memberof contains ADGroup1 
Role: Employee (or whatever)

Rule 2:
Condition: memberof contains ADGroup2
Role: Employee

The user/device will get the role of the first matching rule.

Set the enforcement policy to first match and send back the enforcement profile of your choice to the NAD, if the Role Employee matches (Regardless which of the two ADGroups the User/Device belongs to).

Possibility 2:

Set the Role Mapping to "Select all matches".
Create two role matching rules.
Configure the rule to ANY matches, or to ALL if you want to combine conditions to a result.

Rule 1
Condition: memberof contains ADGroup1 
Role: Employee (or whatever)

Rule 2:
Condition: memberof contains ADGroup2
Role: VIP

A user with membership to both Groups will get two roles.
Users with only one Group membership will get one of the two roles.

Set the enforcement policy to first match.
First Enforcement Policy Rule:
Tips:Role EQUALS Employee (or whatever)
AND Tips:Role EQUALS VIP
Send back vlan 10, for example, using a corresponding enforcement profile.

Second Enforcement Policy Rule:

Tips:Role EQUALS Employee (or whatever)
Send back vlan 20, for example, using a corresponding enforcement profile.

Third Enforcement Policy Rule:

Tips:Role EQUALS VIP
Send back vlan 30, for example, using a corresponding enforcement profile.

This are just three common options to combine role mapping conditions.
And there are endless more.

Just be careful with the use of "Select all matches" at enforcement policy rule table page.
Be sure not to send back conflicting enforcement profiles, if more than one rule is matching.

Have fun!

------------------------------
Best regards, mom
------------------------------

Original Message:
Sent: Jan 30, 2025 05:35 AM
From: Korndal
Subject: Multiple "memberOf" AD Attributes

Yes but what if you have multiple AD Groups and you need to match against each of them?

this is a scenario if a client has multiple ad groups that where the result is to be the same. It's not a problem if you only match this because the role mappings policy can be set to match any, but not the enforcement policy that only can match all. So in a scanarie group selection is a problem if you want to match if a user has a certain role and is member of either of 5 possible groups.

Original Message:
Sent: Sep 22, 2022 07:30 AM
From: Herman Robers
Subject: Multiple "memberOf" AD Attributes

Or even better, use AD:Group EQUALS groupname, instead of memberOf CONTAINS in your role mapping or enforcement.

AD:Group EQUALS groupname matches if the user is member of that group.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 22, 2022 07:03 AM
From: Jonas Hammarback
Subject: Multiple "memberOf" AD Attributes

Hi

It's normal that you have multiple memberOf  rows. If a user is a member of 20 groups you will have 20 of them.
In the role mapping or enforcement you should use the condition Contains instead of Equals.
See the attaches screenshot


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP
Aranya AB

Original Message:
Sent: Sep 22, 2022 06:43 AM
From: BERNHARD HUSTOMO
Subject: Multiple "memberOf" AD Attributes

Hi All,

I got a case where I need to extract out the memberOf attribute from Microsoft AD to use it as Authorization rule, but when I query the AD, this object has two memberOf's (shown two rows and every row has different value).

When checked to AD, this object has multiple 'AD group' under the "memberOf" tab, which means it is member of two OU so-called.
I tried to alias these two memberOf into separate rule, but only one shows up.
I don't know how or when this memberOf show as the query return, because for example if one object only has one memberOf or none memberOf, one object to another will have different parameter ID of memberOf, right ? (or how is it exactly, not AD expert)

When the endpoint authenticates, at the Input attribute @ Access Tracker, I can only see one of it.​

So anyone knows how to query the exact memberOf we wanted ?

PS: I am not in charge of the AD, and the customer's AD 99.9% won't change (or we can't change), so we need to find a way.

(Attached some screenshots)