Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Role Mapping not catching a user who is memberOf a group

This thread has been viewed 8 times

  • 1.  Role Mapping not catching a user who is memberOf a group

    Posted Jun 14, 2016 01:07 PM

    CN=GLB-xxxxxx shows up under thier authorization in the failure message and that's what we key off of.  Only difference between this user and me is that in the authorization on the logs the group shows up under Group and memberOf.

     

    Have tried keying his off memberOf or Group and it does not matter, he just does not match..

     

    Rule is Authsource-AD,  meberOf, equals, GLB-xxxxxx

     

     

     

     



  • 2.  RE: Role Mapping not catching a user who is memberOf a group

    EMPLOYEE
    Posted Jun 14, 2016 01:10 PM
    Are they in a nested group?


  • 3.  RE: Role Mapping not catching a user who is memberOf a group

    Posted Jun 14, 2016 01:23 PM

    Is there a easy to tell from the clearpass auth failure message under auth attribs?

     

     



  • 4.  RE: Role Mapping not catching a user who is memberOf a group

    EMPLOYEE
    Posted Jun 14, 2016 01:25 PM
    You'd want to look in AD.


  • 5.  RE: Role Mapping not catching a user who is memberOf a group
    Best Answer

    EMPLOYEE
    Posted Jun 14, 2016 06:04 PM
    @Bruha wrote:

    CN=GLB-xxxxxx shows up under thier authorization in the failure message and that's what we key off of.  Only difference between this user and me is that in the authorization on the logs the group shows up under Group and memberOf.

     

    Have tried keying his off memberOf or Group and it does not matter, he just does not match..

     

    Rule is Authsource-AD,  meberOf, equals, GLB-xxxxxx

     

     

     

     

    the MemberOf attribute is a string.  Please use contains, instead of equals to attempt to match any part of that string.



  • 6.  RE: Role Mapping not catching a user who is memberOf a group

    Posted Jun 14, 2016 06:34 PM

    Thanks I've been beating my head against this for awhile.  I did not even consider that a possibility.

     

     



  • 7.  RE: Role Mapping not catching a user who is memberOf a group

    EMPLOYEE
    Posted Jun 14, 2016 06:38 PM

    I'd wear a helmet, if I were you ;)