Security

Reply
Highlighted
Regular Contributor II

Deep-Nested Active Directory Queries

Hi there,

 

I just followed the following instructions, but can't get any data to show on TokenGroups:

 

https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Enforce/Enforce_policy_rapid_LDAP_queries.htm?tocpath=Enforcement%20Profiles%20and%20Policies%7C_____3

 

Does anyone has this (nested groups) working?

 

Thanks

Highlighted
MVP Guru

Re: Deep-Nested Active Directory Queries

Just tried and it works for me. This tokenGroup thing is reported to perform much better than traditional nested groups which I used before. It was new to me, so good to have a look.

 

Did you apply the modified authentication source to the service? And did you do something with the attribute during role-mapping or enforcement? If you don't use/test an attribute, it will not be pulled as there is no change in the decision it's optimized out of your query.

 

What I did change in the Authentication source is that I selected the 'as attribute' to get it in the input tab of access tracker:

Screenshot at Oct 05 21-18-44.pngThen to trigger something I used a simple 'exists' check in the role mapping, but checking the S-number should work as well:

Screenshot at Oct 05 21-20-50.pngThen in an authentication, I see all the nested group ids:

Screenshot at Oct 05 21-22-23.pngI created a 3-level group hierarchy: Level 1 with member Level 2 with member Level 3 with my user. In the Nested Groups / tokenGroup, I see the SIDs for all three levels (and other groups the user is member of, like Domain Users):

S-1-5-21-1532318898-2625386876-3981842600-1114, S-1-5-21-1532318898-2625386876-3981842600-1115, S-1-5-21-1532318898-2625386876-3981842600-1116, S-1-5-21-1532318898-2625386876-3981842600-1609, S-1-5-21-1532318898-2625386876-3981842600-513, S-1-5-32-545

 

Ticking the 'as attribute' and testing the retrieved attribute are most likely the issue that you don't see them in Access Tracker.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Regular Contributor II

Re: Deep-Nested Active Directory Queries

Hi,

Actually after I opened the topic I did figure out that it does work. But not as I need.

I must query the groups not with %{Authentication:Username}, but with %{Endpoint:Username}. But the nested query only seem to work only with the %{Authentication:Username}. If I change it to %{Endpoint:username} nothing gets returned.

Is this somehow hardcoded internally? All my other LDAP queries for the same source work fine with %{Endpoint:Username} except for tokenGroups.

Thanks.

Highlighted
MVP Guru

Re: Deep-Nested Active Directory Queries

I checked, and see the same. Also, the memberOf and Groups fields are present when using Authentication:Username, missing with Endpoint:Username. Most other fields show up, but it looks like group/memberof related is missing.

 

When I see the 'show logs' in Access Tracker I do see some 'Failed to construct filter' messages around memberOf. We probably did the same, and I seem to see the same.

 

Can you open a case with Aruba support on this? I'm not 100% sure if this is supported/designed, but TAC may be able to assist you regardless. Please share in a PM the ticket number if you feel it may help the TAC engineer speaks with me as I now think to understand the question.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: