Security

 View Only

  • 1.  Using Machine OU to define policy in clearpass

    Posted Jan 28, 2021 01:28 PM
    Is it possible to use the AD Machine OU to define what role a usert/client gets in Clearpass? 

    I have a project where there are Windows laptops configured with an auto-logon script using a generic user name and password (I know this is awful, but I don't/can't control the AD environment at that location). 

    What they would like to happen is to have specific laptops placed into particular AD OUs and have the OU membership decide what policy/ Clearpass role is assigned to that user/machine combination.

    Is that possible and where would the best place to configure that be?  I was thinking that it should be in the Role Mapping, but I can't quite figure out how to "word" the query/mapping.

    Regards,

    Bill

    ------------------------------
    Bill Fischer
    ------------------------------


  • 2.  RE: Using Machine OU to define policy in clearpass

    Posted Jan 29, 2021 03:58 AM
    Are you using computer authentication? If so, you should see the UserDN attribute that contains the full path, including OU information:
    In role-mapping or in enforcement you can use this information to define your policy/enforcement.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Using Machine OU to define policy in clearpass

    Posted Feb 02, 2021 02:34 AM
    This is most typically done with Security Groups. OU is possible as shown by Herman. Computer accounts can be placed in Security Groups much like users can.


Related Content