Security

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

Hello Exactly this option and put you AD there . You can create aditional service to point on specific switch or specific controller where you can test it , on that way it will not have impact on the rest .

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

Hello Exactly this option and put you AD there . You can create aditional service to point on specific switch or specific controller where you can test it , on that way it will not have impact on the rest .

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

Hi , I would like to just to know if there will be any impact if we enable authorization on existing server? I will be touching existing service which has several users connecting using just role 'Machine Authenticated'.

Hello Exactly this option and put you AD there . You can create aditional service to point on specific switch or specific controller where you can test it , on that way it will not have impact on the rest .

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

Hi,

no, enabling authorization does not impact authentication. You also do not need to enable the "authorization" check box unless you want to use sources for authorization additional to your authentication sources. So every authentication source will automatically be used for fetching authorization attributes as well.

Also regarding your first question: The UserDN attribute is showing under "Authorization Attributes", not "Computed Attributes". Please check there. As far as I can tell from your screenshot you are looking under "Computed Attributes".

Last but not least, your matching criteria for your enforcement policy looks fine. I configured something similar with TLS authentication and it worked out well. Have you tried already?

Best,

Levi

Hi , I would like to just to know if there will be any impact if we enable authorization on existing server? I will be touching existing service which has several users connecting using just role 'Machine Authenticated'.

Hello Exactly this option and put you AD there . You can create aditional service to point on specific switch or specific controller where you can test it , on that way it will not have impact on the rest .

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

HI Levi, 

Thanks for the response, no I have not tried it. I will try soon and let you know if that works.

Regarding  Authorization Attributes, I don't see that option , see below screenshot
Probably because I don't have Authorization enabled, so questions was will I be able to use userDN without enabling Authorization?

Hi,

no, enabling authorization does not impact authentication. You also do not need to enable the "authorization" check box unless you want to use sources for authorization additional to your authentication sources. So every authentication source will automatically be used for fetching authorization attributes as well.

Also regarding your first question: The UserDN attribute is showing under "Authorization Attributes", not "Computed Attributes". Please check there. As far as I can tell from your screenshot you are looking under "Computed Attributes".

Last but not least, your matching criteria for your enforcement policy looks fine. I configured something similar with TLS authentication and it worked out well. Have you tried already?

Best,

Levi

Hi , I would like to just to know if there will be any impact if we enable authorization on existing server? I will be touching existing service which has several users connecting using just role 'Machine Authenticated'.

Hello Exactly this option and put you AD there . You can create aditional service to point on specific switch or specific controller where you can test it , on that way it will not have impact on the rest .

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

Hi,

no, you do not need to enable authorization in the service to see those attributes. 

What does the configuration of your authentication source look like? What attributes are you fetching?

You can test your filter queries under Authentication - Sources - <your-ad> - Attributes. Click on the authentication filter and switch to the "Attributes" tab and test one of your computer accounts. For the username please use the value of the following attribute from your access tracker entry: Computed Attributes - Certificate:Subject-CN. Click on Execute on check wether you get any account in return or not.

When you do not get any return you may have to adjust your attribute filter query. 

Best,

Levi

HI Levi, 

Thanks for the response, no I have not tried it. I will try soon and let you know if that works.

Regarding  Authorization Attributes, I don't see that option , see below screenshot
Probably because I don't have Authorization enabled, so questions was will I be able to use userDN without enabling Authorization?

Hi,

no, enabling authorization does not impact authentication. You also do not need to enable the "authorization" check box unless you want to use sources for authorization additional to your authentication sources. So every authentication source will automatically be used for fetching authorization attributes as well.

Also regarding your first question: The UserDN attribute is showing under "Authorization Attributes", not "Computed Attributes". Please check there. As far as I can tell from your screenshot you are looking under "Computed Attributes".

Last but not least, your matching criteria for your enforcement policy looks fine. I configured something similar with TLS authentication and it worked out well. Have you tried already?

Best,

Levi

Hi , I would like to just to know if there will be any impact if we enable authorization on existing server? I will be touching existing service which has several users connecting using just role 'Machine Authenticated'.

Hello Exactly this option and put you AD there . You can create aditional service to point on specific switch or specific controller where you can test it , on that way it will not have impact on the rest .

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance

HI Levi, 

I am not sure where you want me to do that testing but I see below settings in Authentication attributes:

I would like to use OU of user's machine to apply enforcement profile, so by looking at these attributes I was thinking to use userDN which was suggested by other posts. 
This is an existing set up and there are lot of users/devices using clearpass for authenticating, so I don't really want to change any existing settings in this. 

Hi,

no, you do not need to enable authorization in the service to see those attributes. 

What does the configuration of your authentication source look like? What attributes are you fetching?

You can test your filter queries under Authentication - Sources - <your-ad> - Attributes. Click on the authentication filter and switch to the "Attributes" tab and test one of your computer accounts. For the username please use the value of the following attribute from your access tracker entry: Computed Attributes - Certificate:Subject-CN. Click on Execute on check wether you get any account in return or not.

When you do not get any return you may have to adjust your attribute filter query. 

Best,

Levi

HI Levi, 

Thanks for the response, no I have not tried it. I will try soon and let you know if that works.

Regarding  Authorization Attributes, I don't see that option , see below screenshot
Probably because I don't have Authorization enabled, so questions was will I be able to use userDN without enabling Authorization?

Hi,

no, enabling authorization does not impact authentication. You also do not need to enable the "authorization" check box unless you want to use sources for authorization additional to your authentication sources. So every authentication source will automatically be used for fetching authorization attributes as well.

Also regarding your first question: The UserDN attribute is showing under "Authorization Attributes", not "Computed Attributes". Please check there. As far as I can tell from your screenshot you are looking under "Computed Attributes".

Last but not least, your matching criteria for your enforcement policy looks fine. I configured something similar with TLS authentication and it worked out well. Have you tried already?

Best,

Levi

Hi , I would like to just to know if there will be any impact if we enable authorization on existing server? I will be touching existing service which has several users connecting using just role 'Machine Authenticated'.

Hello Exactly this option and put you AD there . You can create aditional service to point on specific switch or specific controller where you can test it , on that way it will not have impact on the rest .

Hi , 

Do you mean this option ?

Yes , it not enabled but we have, Authentication pointing on the next page to AD. 

If we enable that Authorization in existing service, will it have any impact? Anyways I am going to create a new service for this enforcement I can enable Authorization, but again will it have any impact on other policies?

Thank you in advance. 

Hello , can you show the service because i assume you didn't put AD as authorization source thats why Clearpass not fetch this attributed from AD

Hi, 

We currently AD authenticated machines are being assigned Corp VLAN but  now some of these devices are now required to join a different VLAN based on the AD attributes. 

I understand I can use OU for these devices where these devices will be added in specific OU in AD and then we can use that as a match criteria as below :

Type: Tip Name :Role EQUALS  Value: Machine Authenticated

AND

                                              Type: Authorization:AD Name Name: UserDN CONTAINS  Value: OU=Restricted_New

Please let me know if this works?

I would also like to know that if AD is actually passing this attributes to Clearpass because in Access tracker Live logs I am not seeing UserDN in the input attrbutes of the machine?

These are the attributes machine is passing as an input

Thanks in advance