Requirement:How to validate a user belongs to a specific group and extract the same group out of multiple?
For example:
Consider an AD user being member of the following groups.
Authorization:LAB AD:Groups |
Administrators, Airwave, ClearPass, Contractor, Test_admin, Users, nsteam |
Authorization:LAB AD:memberOf |
CN=Administrators,CN=Builtin,DC=nslab,DC=com, CN=Airwave,OU=Nested Groups,DC=nslab,DC=com, CN=ClearPass,OU=Nested Groups,DC=nslab,DC=com, CN=Contractor,DC=nslab,DC=com, CN=Test_admin,CN=Users,DC=nslab,DC=com, CN=Users,CN=Builtin,DC=nslab,DC=com, CN=nsteam,DC=nslab,DC=com |
Let us validate a user from the group "Administrator" and extract the same group and send the group name in radius accounting proxy to an external target.
Solution:Add the below search filter in your AD authentication source to validate and filter a specific group.
- (&(cn=<group name>) (member:1.2.840.113556.1.4.1941:=%{UserDN}))
For example, "Administrator" group from AD can be extracted with the below filter.
- (&(cn=administrator) (member:1.2.840.113556.1.4.1941:=%{UserDN}))
Can also use wildcard to filter the group name that starts with admin.
(&(cn=admin*) (member:1.2.840.113556.1.4.1941:=%{UserDN}))
More details on the above search filter can be found in https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
Configuration:Add the search filter in the AD authentication source as shown below.
Note: Filter Name and Alias Name can be of your choice.
VerificationFiltered group can be viewed in the "Access Tracker" records under "Authorization Attributes" section as shown below.
The filtered attribute can be called in an enforcement profile or when you proxy the accounting data to an external target like firewall.
Please find below the sample configuration to add/call the filtered group in the accounting proxy.
The below output from the radius accounting proxy target will confirm the AD group "Administrator" being received. This filter attribute can be used at the firewall end to enforce access policies, if needed.