Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Adding Active Directory Attributes to CPPM Roles

This thread has been viewed 0 times

  • 1.  Adding Active Directory Attributes to CPPM Roles

    Posted Feb 02, 2017 09:45 AM

    Hi all,

     

    I've managed to thoroughly confuse myself with something that I thought was going to be simple.

     

    We have some AD joined Mac's, and since they don't do machine authentication, I'm having trouble getting them the right CPPM roles.

     

    Rather than manually build a SHL or Endpoint list, I was hoping that I would be able to query the AD operatingSystem attribute and thus intelligently do the role mappings. (Authorization: AD: operatingSystem : contains: Mac)

     

    Unfortunately, in the access tracker, I'm not seeing it under authorization attributes or computed attributes, thus, it's not mapping correctly.

     

    Am I missing something obvious, or could it be because the RADIUS request is coming through as a user request?

     

    Thanks,

    --Ben



  • 2.  RE: Adding Active Directory Attributes to CPPM Roles

    EMPLOYEE
    Posted Feb 02, 2017 10:09 AM
    Macs CAN do machine authentication.

    Since you're doing a user authentication in this case, you won't be able to use computer properties.

    You have a few options:
    1) use the device registration database built into ClearPass to register them with a certain tag.
    2) Set up Mac machine authentication
    3) Issue certs to the Macs with a unique property.


  • 3.  RE: Adding Active Directory Attributes to CPPM Roles

    Posted Feb 02, 2017 01:19 PM

    1.) I was trying to avoid manual (but it'll work)

    2.) I am NOT seeing a way to do this, unless you use TLS with certificates (I'm using PEAP)

    3.) Arrrrrgh more certificates!!! :)