Security

Reply
Guru Elite

Re: Onboard limit per user based on group


@srikanthsoogoor wrote:

Can i stop users from giving domain\username by writing a role like

 

authorisation: AD groups onboardlimit 

     AND

Radius:ietf username not begins with domain name ( for example domain is abc)

 

if user enter Abc or ABC will it stop or considers it as case sensitive???

 

cheers

srikanth 


You can Strip the contents of the username:  http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/9087/1/2014-01-13%2012_01_32-ClearPass%20Policy%20Manager%20-%20Aruba%20Networks.png, but that might not be enough.  

 

If that does not work you might have to enable "User Inner Identity in Accept Reply" as well:

inner.PNG


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Onboard limit per user based on group


@cjoseph wrote:

@srikanthsoogoor wrote:

Can i stop users from giving domain\username by writing a role like

 

authorisation: AD groups onboardlimit 

     AND

Radius:ietf username not begins with domain name ( for example domain is abc)

 

if user enter Abc or ABC will it stop or considers it as case sensitive???

 

cheers

srikanth 


You can Strip the contents of the username:  http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/9087/1/2014-01-13%2012_01_32-ClearPass%20Policy%20Manager%20-%20Aruba%20Networks.png, but that might not be enough.  

 

If that does not work you might have to enable "User Inner Identity in Accept Reply" as well:

inner.PNG

 

 

If i enable user inner identity in access-accept reply, i would see in access tracker as username instead of domain\username ri8?

 

if that is the case, then onboard authroisation service will use user inner identity to onboard the device even if he give domain\username . it would consider only username to onboard or wat?

 

if i strip the username in the service,it would use only striped string to check the  authentication ri8?  or will it user striped string  as owner in the onboard???

 

Guru Elite

Re: Onboard limit per user based on group

If you use both parameters, it should return it without the \domain.  Try it.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: Onboard limit per user based on group

Hello, 

 

I would love to have a bit more detailed description on how to create these checks and  enforcement profiles. So of you have the time to post some sceens it would would be greatly appreciated.

 

Thanks,

 

Tomas

Contributor II

Re: Onboard limit per user based on group


@cjoseph wrote:

If you use both parameters, it should return it without the \domain.  Try it.

 


I have used both the parameters in onboard authroisation i used strip username rules \:user and in radius service parameters i havve enable user inner identity. But still i am able to onboard the device if i give domain\username.

 

I guess it would be fine if i write 

 authorisation: AD  groups onboardlimit1 && radius ietf: username doesnt contain  \ ( seprator between domain and username)

 

cheers 

srikanth 

                                           

Aruba

Re: Onboard limit per user based on group


@srikanthsoogoor wrote:

@cjoseph wrote:

If you use both parameters, it should return it without the \domain.  Try it.

 


I have used both the parameters in onboard authroisation i used strip username rules \:user and in radius service parameters i havve enable user inner identity. But still i am able to onboard the device if i give domain\username.

 

I guess it would be fine if i write 

 authorisation: AD  groups onboardlimit1 && radius ietf: username doesnt contain  \ ( seprator between domain and username)

 

cheers 

srikanth 

                                           


What version of CPPM are you using? I believe there was a bug where the strip domain wasn't working correctly. If you are at the latest please open a TAC case. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba

Re: Onboard limit per user based on group


@tlilja wrote:

Hello, 

 

I would love to have a bit more detailed description on how to create these checks and  enforcement profiles. So of you have the time to post some sceens it would would be greatly appreciated.

 

Thanks,

 

Tomas


Tomas,

 

What are you trying to accomplish. Here is an example of my onboard auth.

 

screenshot_07 Jan. 18 01.02.gifscreenshot_08 Jan. 18 01.02.gifscreenshot_04 Jan. 18 01.00.gifscreenshot_05 Jan. 18 01.00.gifscreenshot_06 Jan. 18 01.02.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: Onboard limit per user based on group

I'm  trying to make three diffrent profiles for onboard: 1, 2 and unlimited number of devices and i was unsure how to do it. But now i have an example to work from and i'll try to modify my existing config to make it work.

 

Many thanks, 

Tomas

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: