Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to map access to a specific AD Security Group

This thread has been viewed 13 times

  • 1.  How to map access to a specific AD Security Group

    Posted Oct 12, 2017 01:30 AM

    I would like to map user access to certain VLANs against membership in specific Microsoft Active Directory Security Groups (e.g. admins).

     

    My consultant told me we had to use a generic group search attribute that would pull strings from ALL security groups as well as ALL distribution groups. Obviously this would not pass an audit.

     

    Can anyone help with what an LDAP filter/queuy would look like (as an example) to map the authorization to a specific security group?

     

    Thanks--



  • 2.  RE: How to map access to a specific AD Security Group

    EMPLOYEE
    Posted Oct 12, 2017 07:07 AM
    That's not really how it works. Group is one of the available AD attributes pulled during authorization. You can write a rule to check and see if the user is a member of a certain group using the Group attribute.


  • 3.  RE: How to map access to a specific AD Security Group

    Posted Oct 12, 2017 10:15 AM
    Could you elaborate a bit more or provide example syntax? Thanks


  • 4.  RE: How to map access to a specific AD Security Group

    EMPLOYEE
    Posted Oct 12, 2017 10:26 AM

    Screen Shot 2017-10-12 at 10.25.05 AM.png



  • 5.  RE: How to map access to a specific AD Security Group

    Posted Oct 12, 2017 10:53 AM

    Got it, so its possible to drill down and make it search for a specific group name or "string" -- right?

     

    But, is it possible to restrict that search to security groups only, rather than search fro the string across seucrity and distribution groups?



  • 6.  RE: How to map access to a specific AD Security Group

    EMPLOYEE
    Posted Oct 12, 2017 11:11 AM

    Yes, it's an exact match check.

    You can also use the memberOf attribute if you want to match on the entire DN of the group.

     

    AD stores both security and DLs in the memberOf context, so no, there is really no way to limit it. I can't imagine a DL and security group would have the same name.