Security

Reply
Occasional Contributor I

Extracting realm from User-Name as a role

Is it possible to use the realm that is sent as a request as part of role mapping or attribute mapping?

 

We have a legacy radius configuration that uses a format of:

 

username@role

 

To determine the specified role that the user is requesting.  This allows an end-user to specify the desired role as part of the request (i.e. user@guest, user@staff).  I could create a separate service/role mapping for every role, but we have about 140 roles that need to be mapped.  Ideally I would like to be able to use a single service/policy that does the equivalent of:

 

1. User authenticates with: $user@$role

2. Authenticate $user

3. If $role in User "Groups" attributes grant access AND return "Class=$role", else Deny

 

Any ideas of how to implement this in a single service?  Thanks.

Guru Elite

Re: Extracting realm from User-Name as a role

Try something like this:

 

enf-domain-map.PNG

 

OR THIS

 

rolemap-domain-map.PNG

 

 

Make sure that you strip the realm in your service otherwise authentication to LDAP or AD will fail.

 

=strip-domain-at.PNG


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Extracting realm from User-Name as a role

Tim, that is definitely getting me closer to what I'm looking for.  The other part that I need was adding an "AND" clause to the mapping to ensure that the user is also in the group (to prevent student@student from entering student@faculty and getting @faculty access).

 

The new mapping looks something like:

 

(Authorization:ActiveDirectory:Groups EQUALS staff)

AND (Authentication:Full-Username ENDS_WITH @staff)

 

It would be nice if I could replace "staff" with %{realm}, but this is a massive improvement of my initial idea of creating separate services for every role.

 

 

Guru Elite

Re: Extracting realm from User-Name as a role

Unfortunately you'd need to create a role map rule for each variation. You still only need one service though.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: