Dell PowerConnect W Clearpass 100 Software External Authentication Servers Sof - Page 12

Advanced authorization - Example 1, Advanced authorization - Example 2

Get Dell PowerConnect W Clearpass 100 Software PDF manuals and user guides View all Dell PowerConnect W Clearpass 100 Software manuals
Add to My Manuals
Save this manual to your list of manuals

Page 12 highlights

NOTE NOTE • With authorization method Use PHP code to assign a user role (Advanced) - more complex authorization rules can be implemented to specify which role to assign to an authenticated user. Authorization can use any of the available properties of the user account, as well as taking into account other factors such as the time of day, previous usage, and more. Advanced authorization - Example 1 This example covers the case where a domain contains several organizational units (OUs), and the users in each OU are to be mapped to a specific RADIUS role ID. To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the appropriate role. For example, to implement the following configuration: • OU East should be mapped to RADIUS role ID 4 • OU Central should be mapped to RADIUS role ID 5 • OU West should be mapped to RADIUS role ID 6 Make sure the following configuration is set: 1. First, ensure that the Base DN for the authentication server is set to the root of the domain - for example: DC=amigopod,DC=local - rather than the "users" container. This is necessary as the organizational units are located below the top level of the directory and cannot be searched from the CN=Users container. 2. Select the authorization method Use PHP code to assign a user role (Advanced) and use the following code: if (stripos($user['distinguishedname'],'OU=East')) return 4; if (stripos($user['distinguishedname'],'OU=Central')) return 5; if (stripos($user['distinguishedname'],'OU=West')) return 6; return false; Explanation: During user authorization, the distinguished name of the user (which will contain the user's OU) is checked against the defined rules, and an appropriate role ID is returned. If no match is found, false is returned, which means that authorization fails and the user's Access-Request will be rejected. Advanced authorization - Example 2 This example covers the case where users are assigned group memeberships, and users in a particular group are to be mapped to a specific RADIUS role ID. To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the appropriate role. For example, to implement the following configuration: • Members of the Domain Admins group should be mapped to RADIUS role ID 4 • Members of the Users group should be mapped to RADIUS role ID 5 • All other users should be rejected Make sure the following configuration is set: 12| External Authentication Servers Amigopod |Technical Note

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
12
| External Authentication Servers
Amigopod
|Technical Note
With authorization method
Use PHP code to assign a user role (Advanced)
– more
complex authorization rules can be implemented to specify which role to assign to an
authenticated user. Authorization can use any of the available properties of the user account,
as well as taking into account other factors such as the time of day, previous usage, and more.
Advanced authorization — Example 1
This example covers the case where a domain contains several organizational units (OUs), and the
users in each OU are to be mapped to a specific RADIUS role ID.
NOTE
To determine the appropriate role ID, navigate to
RADIUS Services
>
User Roles
and check the
ID column for the appropriate role.
For example, to implement the following configuration:
OU East should be mapped to RADIUS role ID 4
OU Central should be mapped to RADIUS role ID 5
OU
West
should be mapped to RADIUS role ID 6
Make sure the following configuration is set:
1.
First, ensure that the Base DN for the authentication server is set to the root of the domain –
for example: DC=amigopod,DC=local – rather than the “users” container.
This is necessary as
the organizational units are located below the top level of the directory and cannot be
searched from the CN=Users container.
2.
Select the authorization method Use PHP code to assign a user role (Advanced) and use the
following code:
if (stripos($user['distinguishedname'],'OU=East')) return 4;
if (stripos($user['distinguishedname'],'OU=Central')) return 5;
if (stripos($user['distinguishedname'],'OU=West')) return 6;
return false;
Explanation:
During user authorization, the distinguished name of the user (which will contain the
user’s OU) is checked against the defined rules, and an appropriate role ID is returned.
If no match
is found, false is returned, which means that authorization fails and the user’s Access-Request will
be rejected.
Advanced authorization — Example 2
This example covers the case where users are assigned group memeberships, and users in a
particular group are to be mapped to a specific RADIUS role ID.
NOTE
To determine the appropriate role ID, navigate to
RADIUS Services
>
User Roles
and check the
ID column for the appropriate role.
For example, to implement the following configuration:
Members of the Domain Admins group should be mapped to RADIUS role ID 4
Members of the Users group should be mapped to RADIUS role ID 5
All other users should be rejected
Make sure the following configuration is set: