Security

Reply
Occasional Contributor I

CPPM & how to filter extensionAttributes in AD

Because of a company reorganisation we have to redesign our NAC-setup. Some entities may not communicate with other entities etc. The AD will not spil, nor the server setup.

However network wise it will split. So I wanted to see what my options are here.

 

My first attempt was to use an extensionAttribute in the AD with a specific value per PC;

ad.JPG

Then, in the CPPM, under authentication sources I added this attribute;

src.JPG

This should provide the link between the AD's attribute and CPPM, wright?

 

Next was to specify the enforcement policy;

pol.JPG

 

I thought this would do the trick, but instead it falls back on the radius VLAN Enforcement profile (seen on line 3);

out.JPG

 

 

What am I missing here?

Or do I have to review my approach? 

Please advice!

MVP Guru

Re: CPPM & how to filter extensionAttributes in AD

Check access tracker log to see if it is fetching proper attributes and also try clear cache and check the status.

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: CPPM & how to filter extensionAttributes in AD

might be a typo in the Enforcement rule ? (ASESO vs ACESO)

Occasional Contributor I

Re: CPPM & how to filter extensionAttributes in AD

Nice catch, it was indeed a typo, but it was corrected before this posted this issue.

Occasional Contributor I

Re: CPPM & how to filter extensionAttributes in AD

I cleared the cache and checked the log. I cannot see that CPPM is fetching this attribute.
However, if I check the AD via the filteroption in the authentication sources, I clearly see that the CPPM is able to see this attribute. But why doesn't it try to fetch it during the authentication?

filter.JPG

Highlighted
MVP Guru

Re: CPPM & how to filter extensionAttributes in AD

I just checked in the lab and it works for me. Do you see the extension attribute in Access Tracker under Input - Authorization Attributes:

Screen Shot 2019-08-29 at 17.24.06.png

If it doesn't show, what could be the reason is that the Base DN in your AD authentication server could be set to the Users OU and for that reason not searching in the CN=Computers. Make sure that the Base DN is set high enough (I have it set to dc=arubalab,dc=com, not cn=Users,dc=arubalab,dc=com) to include your computers in the search.

 

Also a role mapping from the extension attribute to a ClearPass role works fine:

Screen Shot 2019-08-29 at 17.36.27.png

Role Computer is assigned:

Screen Shot 2019-08-29 at 17.35.51.png

The most important step is to see the attribute show up in Access Tracker. Unless it is shown there, there is no use of looking in matching/mapping.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: CPPM & how to filter extensionAttributes in AD

Thanks for the clear explanation.

The base DN wasn't set high enough, but despite solving this still the same result.
I don't see the authorization attributes at all in a request, how does one configure this?

 

 

Occasional Contributor I

Re: CPPM & how to filter extensionAttributes in AD

Nevermind, got it

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: