Security

Are there any references or recommendations we can review when building ClearPass Role Mapping Policies? I'm working a situation where we are authenticating against a large and complicated AD environment. There are lots of users, lots of OUs, and lots of AD groups. Users can be members of a 100 or more groups.

When we build Role Mapping conditions, should we avoid lots of Authorization memberOf: contains or Groups: EQUALS queries?

Is it better to use contains as opposed to equals?

Would authentication be quicker (and more reliable) if we tested against DistinguishedNames or AD user object attributes, instead of checking for AD group memberships?

Thanks!

You might be looking for this:  https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=5a172114-c682-46a3-90ab-c95689570c94

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 14, 2022 05:10 PM
From: Paul Dicovitsky
Subject: ClearPass role mapping, LDAP lookup efficiency tips

Are there any references or recommendations we can review when building ClearPass Role Mapping Policies? I'm working a situation where we are authenticating against a large and complicated AD environment. There are lots of users, lots of OUs, and lots of AD groups. Users can be members of a 100 or more groups.

When we build Role Mapping conditions, should we avoid lots of Authorization memberOf: contains or Groups: EQUALS queries?

Is it better to use contains as opposed to equals?

Would authentication be quicker (and more reliable) if we tested against DistinguishedNames or AD user object attributes, instead of checking for AD group memberships?

------------------------------
Paul Dicovitsky
------------------------------