Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Using AD group in cppm service selection

This thread has been viewed 2 times

  • 1.  Using AD group in cppm service selection

    Posted Sep 13, 2016 10:23 AM

    I've created a CPPM service that we use to authenticate onto our comware switches.Part of the service selection is checking if the RADIUS User-Name is a member of a particular group of users. Later on I set up some Roles based upon congtents of a AD group and then apply an enforcement policy if a particular role exists.

     

    Probklem is the list of users is getting a bit unweildy in the service selection bit. Is there  any way of checking whether a given User-Name is a member of an AD group at service selection time?

     

    A

     

     



  • 2.  RE: Using AD group in cppm service selection

    EMPLOYEE
    Posted Sep 13, 2016 10:26 AM

    Unfortunately no. Service categorization happens well before authorization.

     

    You could leverage username realms though.

     

    You should only need rules that reference the group membership, not usernames individually.



  • 3.  RE: Using AD group in cppm service selection

    EMPLOYEE
    Posted Sep 14, 2016 03:36 AM

    Would it work for you to match all users in the service and after authentication, based on the group membership (roles, device, etc...) return a Deny Access for unauthorized users?

     

    That has another benefit, namely that you can put additional actions on unauthorized users trying to get access; like opening helpdesk tickets for a security incident.

     

    The information on what you are trying to achieve (the question behind your question) is not fully clear, and please contact your Aruba partner or TAC if you need to discuss how to implement what you really want.