Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Any way to Query AD Machine Auth Cache within Role Mapping

This thread has been viewed 1 times

  • 1.  Any way to Query AD Machine Auth Cache within Role Mapping

    Posted Feb 08, 2020 01:28 PM

    I can easily determine within Role mapping if a machine is managed by Jamf or Maas360 by querying the Endpoints data but is there any way to determine if a machine is AD managed by directly querying the entry in the 24HR AD machine auth cache?

     

    I am looking to write policy that say:

     

    IF Endpoint:MDM Enabled = True ----> Role = Managed

    IF ??Machine AUTH cache = True ----> Role = Managed

     

    so that in Enforcements i can use a common "Managed" Role in my policy

     

    Is this possible?

     

    I know i can have an enforcement that says

    IF Role = [MACHINE] ----> write endpoint attribute LastMachineAuth and then use it in policy (perhaps even checking timing of LastMachineAuth) but i was hoping to not have to take this extra step which requires a second pass.

     

    So is that any way to directly query the AD MACHINE auth Cache during role mapping??

     

    Thanks,

    Jeff



  • 2.  RE: Any way to Query AD Machine Auth Cache within Role Mapping

    Posted Feb 10, 2020 04:31 AM

    Hi,

     

    You can't use roles as conditional parameters within a Role Mapping policy.

     

    The [Machine authenticated] role is computed as part of an implicit mapping before your own role mapping rules.

     

    If your authentication source is Active Directory there are two attributes that let you determine if the account is a computer:

    - (sAMAccountType=805306369)

    - (objectCategory=computer)

     

    These are not part of the default attributes queried for AD auth sources, so you'll have to create a custom filter on your Authentication source to grab the value of one these attributes and use them in role mappings.

     

    Your role mappings would then become something like:

     

    IF Endpoint:MDM Enabled = True ----> Role = Managed

    IF ActiveDirectory:ObjectCategory = computer ----> Role = Managed

     

    or

     

    IF Endpoint:MDM Enabled = True ----> Role = Managed

    IF ActiveDirectory:AccountType = 805306369 ----> Role = Managed

     

    Cheers,



  • 3.  RE: Any way to Query AD Machine Auth Cache within Role Mapping

    Posted Feb 10, 2020 08:43 PM

    Sacha,

     

    Great Info but i don't think it solves my issue.  What I am trying to do is figure out a way to determine if a machine is ad managed during a User authentication.  

     

    I am wondering if it might be possible to use Authorization:[Endpoints Repository]:Hostname to query the AD authsource and see if that host has an sAMAccountType=805306369

     

    Can you think of any way to make this work?

     

    Thanks,

    Jeff



  • 4.  RE: Any way to Query AD Machine Auth Cache within Role Mapping
    Best Answer

    Posted Mar 03, 2020 05:19 AM

    Hi,

     

    Sorry for the late update.

     

    You can implement the behavior you want:

     

    1) Your AD should be in the Authorization sources.

     

    2) Create a custom filter in your AD source with a Query Filter that should look something like (&(sAMAccountName=%{Authorization:[Endpoints Repository]:Hostname})(objectClass=user))

    From there you can you can create an attribute for sAMAccountType (you can alias it to make it more meaningfull)

     

    3) Then you can check for existence or value of this attribute in your policies. Best practice would be to create a role "AD Managed Machine" encapsulating this check.

     

    Hope it was not too late

     

    Regards