Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass doesn't update user attributes from AD and problems with roles

This thread has been viewed 8 times

  • 1.  ClearPass doesn't update user attributes from AD and problems with roles

    Posted Jul 11, 2018 06:20 PM

    Hi guys,

     

    While integrating ClearPass with Fortinet and doing tests, I realized of two things:

     

    1. When I change some attributes in the user account in AD, ClearPass doesn't update the new changes. For example, my user firstly belonged to one group called "Ludwines", and I saw that detail correctly in ClearPass:accesstracker1.PNGI updated the user account to belong to more than one group, and changed the department, but the Request Details keeps showing the same information as above, so ClearPass doesn't take those changes. I disconnected and connected the user, I forgot the network and connected again, with no success. Why?
    2. I created a service and in the Accounting Proxy tab I set to send the role assigned to the user as the Filter-Id to the Fortigate :accprox.PNGAnd it works well, I see ClearPass sends the role assigned to the user, for example, the role "Ludwines", but the problem is it also sends the role "[User Authenticated]". And as you can see below, this role is assigned automatically to the user because is authenticated, I don't know why:accesstracker2.PNGIs there any way to send only the actual user's role and not the role "[User Authenticated]"?

    Many thanks in advance,

    Julián



  • 2.  RE: ClearPass doesn't update user attributes from AD and problems with roles
    Best Answer

    EMPLOYEE
    Posted Jul 11, 2018 06:23 PM
    1. Auth sources have a cache for perform reasons. You can lower/disable them for testing, but you should not disable them in production.
    2. No


  • 3.  RE: ClearPass doesn't update user attributes from AD and problems with roles

    Posted Jul 11, 2018 07:01 PM

    Hi Tim,

     

    Many thanks. I have tried clearing the cache and then ClearPass did update the user's AD attributes.

    For point 2, then is there anyway to send a string value as the Filter-Id in the Accounting Proxy tab? For example, if user belongs to "Group1" send "Test1" and if user belongs to "Group2" send "Test2". I don't find an option to do this, the values for Filter-Id, apart from typing manually %{Tips:Role}, are %{Authorization:xxx} attributes. I have tried to use the %{Authorization:memberOf}, but it sends the AD Group in LDAP format such as "CN=Ludwines,DC=supra,DC=tro", and not as "Ludwines" as I want.

    According to the Integration with 3rd Party Enforcement Points ClearPass & Fortinet utilizing RESTful API and RADIUS Accounting this can be achieved doing a mapping between memberOf and roles (pag. 18-19), but in my case, as said previously, it also sends the value [User Authenticated].

     

    Thanks for your help,

    Julián



  • 4.  RE: ClearPass doesn't update user attributes from AD and problems with roles
    Best Answer

    EMPLOYEE
    Posted Jul 11, 2018 07:04 PM
    Use Groups instead of memberOf


  • 5.  RE: ClearPass doesn't update user attributes from AD and problems with roles

    Posted Jul 12, 2018 10:21 AM

    Hi Tim,

     

    I tried that last option and works! Many thanks.

    One more question. In my testing lab, I have ClearPass, two IAPs and a FortiGate. The accounting interval in my IAPs is set to 1 min. When I connect the client to the network, I can see the accounting tab in the Request Details immediately:

    acc_tab.PNGAnd the first accounting message from ClearPass to FortiGate is also sent inmmediately.

     

    In my customer, the scenario is the same, but instead of having an IAP, there are APs managed by an Aruba Controller, and the accounting interval is set to 5 min. (the minimum value). When I connect the client to the network, I can see the accounting tab in the Request Details after around 2 min, and it takes that same time to send the first accounting message from ClearPass to FortiGate, which holds the attributes, and therefore I can't see the user details in FortiGate after 2 min (delaying firewall policies, etc.). Do you know if the accounting messages interval sent from ClearPass to the proxy target depend on the accouting interval set on the NAD? Or is it set on some ClearPass parameter? If so, maybe my customer's ClearPass have a different value for that parameter that my ClearPass. I have browsed the configuration guide and googled but I found nothing related to that.

     

    Regards,

    Julián



  • 6.  RE: ClearPass doesn't update user attributes from AD and problems with roles

    Posted Jul 17, 2018 05:52 PM

    Hi,

     

    If anyone is interested, for this question:

     

    Do you know if the accounting messages interval sent from ClearPass to the proxy target depend on the accouting interval set on the NAD? Or is it set on some ClearPass parameter?

     

    The frequency of the accounting messages sent from ClearPass to the proxy target depends on the accounting interval set on the NAD, since ClearPass only forwards the interim accounting updates it receives from the NAS to the external target.

    In this regard, the IAP is better than the controller since the minimum interval in the IAP is 1 min. and the minimum interval in the controller is 5 min.

     

    Regards,

    Julián