Security

Reply
Aruba

Re: Error message for Role Mapping Policy - CPPM

I have run into this same error.   Basicallly you are not able to read the memberOf attributes of the logged on user.  If you look at the "Computed Attributes" within Access Tracker, under the Input tab and under the Authorization Attributes; you'll likely not see any "memberOf" attributes; only UserDN.

 

I've seen this at a couple of customers.  One instance, the user was not a member of any groups aside from Domain Users (does not show as memberOf when set as primary group; this is normal).   The other instance we resolved it by elevating the permissions of the Bind account.

 

We verified this using an LDAP Browser using the Bind account; it it could not see those attributes despite having permission to.   Elevating permissions was OK with that customer, so we did not contact support to see if it was a known issue.

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Frequent Contributor I

Re: Error message for Role Mapping Policy - CPPM

Hi Clembo,

 

Yes we are getting only User DN attribute when we look on access tarcker authorization part.

 

I have attached the attribute what we are getting in authorization part.

 

So can you explain be briefly what we have to do for resolving this issue. I am little bit weak in AD so can u give me any document or any screen shot for how to give the permissions for BIND ACCount.

 

Regards,

Nithin Kumar C V

Aruba

Re: Error message for Role Mapping Policy - CPPM

Just to to test/confirm.


Check what account is used as the Bind account under the AD Authentication Source.  Check what permissions that account has in AD.  Then, add it to a higher priveleged group; Domain Admins for example.  ****This is usually not necessary; just want to see if it helps with you reading all the needed attributes.   Make sure the group change has replicated to the DC you are using for your authentication against in your AD authentication source.

 

Are the results any different?

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Frequent Contributor I

Re: Error message for Role Mapping Policy - CPPM

Hi All,

 

In my case whats happening is the domain machine is authenticating and in AD all the domain machine are in single OU so its not differenticating the user.

 

we think for this we need user authentication to happen so that we can diffrentiate the users and to get there desired VLAN so we need clarification how to do user authentication on EAP-TLS.

 

machine and user authentication for EAP-TLS or only User authentication for EAP-TLS

 

 

As per the end user they have issued the certificate for each user also.

 

Regards,

Nithin Kumar C V

Frequent Contributor I

Re: Error message for Role Mapping Policy - CPPM

:(

Highlighted
Aruba

Re: Error message for Role Mapping Policy - CPPM

You could still accomplish this by putting the computers in groups and use your mappings based on that vs. OU placement.  

 

If you want to use user and computer EAP-TLS this is possible.   The configuration is really on the client side.  Windows has a setting that says whether to user User Authentication, Computer Authentication, or User or Computer Authentication.    This setting is under the Advanced Settings button of the wireless configuration.

 

  • If User Authentication - Device only will get on wireless network when the user logs in using the user's credentials/certificate
  • If Computer Authentication - Device will use computer credentials/certifiate pre user logon and post user logon
  • If User or Computer Authenticaton - Device will connect to the wireless network using the computer's credentials/certificate when no user is logged in.  When a user logs in, Windows will reauthenticate the device with the user credetials/certificate

If you want to use EAP-TLS and ClearPass to not only authenticate the users, but to also authorize them based upon groups or other attributes, you may need to turn on Certificate Comparison in the EAP-TLS Authentication Method you are using for your service; if you haven't already (I usually create a new EAP-TLS method for my customers with this).

 

cp-tls-compare.jpg

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Frequent Contributor I

Re: Error message for Role Mapping Policy - CPPM

Thanks a lot for your support and guide lines.

 

:)

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: