Security

Because of a company reorganisation we have to redesign our NAC-setup. Some entities may not communicate with other entities etc. The AD will not spil, nor the server setup.

However network wise it will split. So I wanted to see what my options are here.

My first attempt was to use an extensionAttribute in the AD with a specific value per PC;

Then, in the CPPM, under authentication sources I added this attribute;

This should provide the link between the AD's attribute and CPPM, wright?

Next was to specify the enforcement policy;

I thought this would do the trick, but instead it falls back on the radius VLAN Enforcement profile (seen on line 3);

What am I missing here?

Or do I have to review my approach? 

Please advice!

Check access tracker log to see if it is fetching proper attributes and also try clear cache and check the status.

I cleared the cache and checked the log. I cannot see that CPPM is fetching this attribute.
However, if I check the AD via the filteroption in the authentication sources, I clearly see that the CPPM is able to see this attribute. But why doesn't it try to fetch it during the authentication?

I just checked in the lab and it works for me. Do you see the extension attribute in Access Tracker under Input - Authorization Attributes:

If it doesn't show, what could be the reason is that the Base DN in your AD authentication server could be set to the Users OU and for that reason not searching in the CN=Computers. Make sure that the Base DN is set high enough (I have it set to dc=arubalab,dc=com, not cn=Users,dc=arubalab,dc=com) to include your computers in the search.

Also a role mapping from the extension attribute to a ClearPass role works fine:

Role Computer is assigned:

The most important step is to see the attribute show up in Access Tracker. Unless it is shown there, there is no use of looking in matching/mapping.

Thanks for the clear explanation.

The base DN wasn't set high enough, but despite solving this still the same result.
I don't see the authorization attributes at all in a request, how does one configure this?

Nevermind, got it

hi - how did you get this working ?

Hi,
Yes, we got it up and running.
Make sure you set the base dn high enough.
Under authentication sources, in your AD, configure the attribute you want to fetch, and try to get it there. Once that's ok, see if you can fetch it during a authentication attempt. In the log you'll see how you can filter it in the policies, and then link it to a profile or role.

Check how Herman described it!

might be a typo in the Enforcement rule ? (ASESO vs ACESO)

Nice catch, it was indeed a typo, but it was corrected before this posted this issue.