Security

Hello

I was budling a rule just now as i was preparing a demo... and i was stuck for a whole 10 minutes

I got a group in AD which the name is Ingenieria

So i was building a rule which says  member of EQUALS Ingenieria... it didnt work...

But as soon as i changed to this CONTAINS it worked...

 

Whats the difference????

As far i knew the EQUALS its like that  Equals.. it was looking for a group in Active directory with that same name...

 

Contains would be a AD group that contains that word Ingenieria...

 

I am wrong? if so can you guys enligh me with this???

 

Cheers

Carlos

Equals means it solely contains that single, unique value. Since memberof may have multiple values, you need to use Contains.

So basically on member of you always have to use contains?You never use Equals?

 

Cheers

Carlos

Yes, I always contains.

it just that as im referring to a group name  for me it has a single unique value... the only name it has which in this case is Ingenieria...

Thats why i dont understand...

 

 

Cheers

Carlos

For memberof...ALWAYS use contains.  EQUALS will never hit as you would need to match on the entire string returned from AD

Edit.

For the memberOf, you need to use Contains; if you use the Groups propery, you can use EQUALS:

 

(Authorization:dc-02.nl:Groups  EQUALS  Domain Admins)

 

Personally I tend use Groups, instead of memberOf as it makes a more thorough match.

How is Groups better than memberOf? BTW, for more exact a more exact match, you need to use a fully path with memberOf like

 

(Authorization:SENSENET Domain:memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu) 

 

If you use (Authorization:SENSENET Domain:memberOf  CONTAINS  Staff) it would match any group that contains the string "Staff" and any group in a path that contains "Staff".

 

What is the behavior of using "Groups EQUALS"?

In your example, memberOf  CONTAINS  CN=Staff,OU=Security Groups,OU=IS,OU=FSA,DC=University,DC=liberty,DC=edu is indeed a complete match.

 

And that is functionally equal to Groups EQUALS Staff (which is much shorter).

 

Where lies a possible issue is like in the question where memberOf CONTAINS Ingenieria. In that case, CN=Disabled-Users,OU=Ingeniera,DC=domain,DC=com will match.

 

Groups EQUALS Ingeniera is exactly what does what is expected in this question; and seems better for overview  to me in most cases. This does not match anything else than the group name Ingeniera.

 

So I prefer to use the Group EQUALS variant as it better matches the expectations that many users have and for that reason avoids errors.

 

Herman

Herman,

I know this is a super old thread. In my ClearPass 6.9 I don't seem to pull down a group attribute on authentication to validate the group name equals. Here is what I see to validate against. Any idea if I am missing something to put down the group name? I had an issue where two member of names were similar and contains threw me for a loop when it was put in the wrong policy.

Thanks!



------------------------------
Christopher Calhoun
------------------------------

Just add a check on 'Groups EQUALS' and the Groups will (likely) show up in Access Tracker. If attributes are not used during role-mapping or enforcement, they may not be retrieved as a performance optimization.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 15, 2021 08:20 PM
From: Christopher Calhoun
Subject: Contains vs equal clearpass policy Manager

Herman,

I know this is a super old thread. In my ClearPass 6.9 I don't seem to pull down a group attribute on authentication to validate the group name equals. Here is what I see to validate against. Any idea if I am missing something to put down the group name? I had an issue where two member of names were similar and contains threw me for a loop when it was put in the wrong policy.

Thanks!



------------------------------
Christopher Calhoun
------------------------------

Makes perfect sense I will give it a try today in my Lab. Will let you know how it goes.

Thanks,
Chris

------------------------------
Christopher Calhoun
------------------------------

Original Message:
Sent: Feb 16, 2021 04:49 AM
From: Herman Robers
Subject: Contains vs equal clearpass policy Manager

Just add a check on 'Groups EQUALS' and the Groups will (likely) show up in Access Tracker. If attributes are not used during role-mapping or enforcement, they may not be retrieved as a performance optimization.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 15, 2021 08:20 PM
From: Christopher Calhoun
Subject: Contains vs equal clearpass policy Manager

Herman,

I know this is a super old thread. In my ClearPass 6.9 I don't seem to pull down a group attribute on authentication to validate the group name equals. Here is what I see to validate against. Any idea if I am missing something to put down the group name? I had an issue where two member of names were similar and contains threw me for a loop when it was put in the wrong policy.

Thanks!



------------------------------
Christopher Calhoun
------------------------------

Thanks so much Herman. This has plagued me since the beginning of installing ClearPass. I guess I should have asked earlier. Now I can do Equals and not have to worry about similar names in the first applicable selections.
 
There it is! 



------------------------------
Christopher Calhoun
------------------------------

Original Message:
Sent: Feb 16, 2021 04:49 AM
From: Herman Robers
Subject: Contains vs equal clearpass policy Manager

Just add a check on 'Groups EQUALS' and the Groups will (likely) show up in Access Tracker. If attributes are not used during role-mapping or enforcement, they may not be retrieved as a performance optimization.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 15, 2021 08:20 PM
From: Christopher Calhoun
Subject: Contains vs equal clearpass policy Manager

Herman,

I know this is a super old thread. In my ClearPass 6.9 I don't seem to pull down a group attribute on authentication to validate the group name equals. Here is what I see to validate against. Any idea if I am missing something to put down the group name? I had an issue where two member of names were similar and contains threw me for a loop when it was put in the wrong policy.

Thanks!



------------------------------
Christopher Calhoun
------------------------------