Security

 View Only

  • 1.  ClearPass and Nested Groups does not work.

    Posted Oct 15, 2025 08:38 AM

    I have a ClearPass running, where clients use TEAP to get access to the network (Wired and Wireless)

    Everything works perfect as long as i point to groups that users and computers are a direct member of

    If I try nested groups it fails.

    So as an example. The user is a member of the ORG-XXXX Grim and that group is a member of XXXX-NET-XXX Group, which is the one I want to use

    So if the setup is this :
    * Ig The user is a member of Group XXXX-NET-XXX.
    And I check if the user is a member of of XXXX-NET-XXX group, it works perfectly

    If the setup is this:
    * User id a direct member of Group ORG-XXXX
    * Group ORG-XXXX is a member of XXXX-NET-XXX
    And i check if the user is a member XXXX-NET-XXX  it does NOT work

    In the access tracker i only get info about the groups the user/computer is direct member off, not the nested part

    I added this to the source

    Authsource-Attribute Filter All Groups

    AuthSource-Attribute Filters
    AuthSource-Attributes Overview
    AuthSource-Overview


    -------------------------------------------


  • 2.  RE: ClearPass and Nested Groups does not work.

    Posted Oct 15, 2025 09:29 AM

    I have never implemented nested groups, have you compared your configuration with any guides how to implement this?

    For example this thread in Airheads: https://airheads.hpe.com/discussion/deep-nested-active-directory-queries



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 3.  RE: ClearPass and Nested Groups does not work.

    Posted Oct 15, 2025 09:42 AM

    A few remarks, outside that nested groups can be complex and a 'can of worms'. I created a video a while ago on Nested Groups.

    What has worked for me is to use an LDAP browser (use your favorite search engine to find one) and check if you can get the information from your LDAP server.

    Then, especially when setting this up, one smart feature of ClearPass that hit me multiple times is that when you create/modify a query, but the output of that query (in this case Nested Groups/Nested DN) is not used anywhere in the role mapping or enforcement policy, the query is not even executed; so check in Access Tracker if you see attributes there. If not, create a role mapping that tests something in that query, it may even be if Auth:.... Nested Groups EXITST => assign an arbitrary role. If you still don't see anything, go back in the query till you see the desired/expected data there.

    Also there are some caveats when using a global catalog, or cross domain group membership. If you search on The Edge For Partners on 'Active Directory' there is quite some info available.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content