Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Authentication source filter versus enforcement profile

This thread has been viewed 2 times

  • 1.  Authentication source filter versus enforcement profile

    Posted Dec 15, 2014 04:27 PM

    If I want to authorize users based on the value of say the memberof attribute in AD, my understanding is I can do this via the filter attributes under auth source or I can write an enforcement rule to check the AD attribute. Assuming I don't need to return a RADIUS attribute to the client based on this value, does it matter which method I use? Is one way more efficient than the other?

     

    I tried both ways in testing and it looks like the only difference for a reject  is with the filter method I get a user not found message and with the enforcement method I get "Applied 'Reject' profile".

     

    Thanks in advance.



  • 2.  RE: Authentication source filter versus enforcement profile

    EMPLOYEE
    Posted Dec 15, 2014 05:14 PM

    You may want to use the pre-built groups attribute combined with a role map. Then you can reference the TIPS role in your enforcement.



  • 3.  RE: Authentication source filter versus enforcement profile

    Posted Dec 16, 2014 09:54 AM
    @cappalli wrote:

    You may want to use the pre-built groups attribute combined with a role map. Then you can reference the TIPS role in your enforcement.

    Is there an advantage to creating a role based on authorization attributes and then interrogating that role in the enforcement versus just interrogating the authorization attribute in the enforcement policy?