Aruba Networks PowerConnect W Clearpass 100 Software Deployment Manual page 103

Advanced Authorization — Example 1
This example covers the case where a domain contains several organizational units (OUs), and the users in
each OU are to be mapped to a specific RADIUS role ID.
To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the
appropriate role.
For example, to implement the following configuration:
OU East should be mapped to RADIUS role ID 4

OU Central should be mapped to RADIUS role ID 5

OU West should be mapped to RADIUS role ID 6

Make sure the following configuration is set:
1. First, ensure that the Base DN for the authentication server is set to the root of the domain – for
example: DC=Amigopod,DC=local – rather than the "users" container. This is necessary as the
organizational units are located below the top level of the directory and cannot be searched from the
CN=Users container.
2. Select the authorization method Use PHP code to assign a user role (Advanced) and use the
following code:
if (stripos($user['distinguishedname'],'OU=East')!== false) return 4;
if (stripos($user['distinguishedname'],'OU=Central')!== false) return 5;
if (stripos($user['distinguishedname'],'OU=West')!== false) return 6;
return false;
Explanation: During user authorization, the distinguished name of the user (which will contain the user's
OU) is checked against the defined rules, and an appropriate role ID is returned. If no match is found, false
is returned, which means that authorization fails and the user's Access-Request will be rejected.
Information on the stripos function for case-insensitive substring matching can be found at stripos().
Advanced Authorization — Example 2
This example covers the case where users are assigned group memberships, and users in a particular group
are to be mapped to a specific RADIUS role ID.
To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the ID column for the
appropriate role.
For example, to implement the following configuration:
Members of the Domain Admins group should be mapped to RADIUS role ID 4

Members of the Users group should be mapped to RADIUS role ID 5

All other users should be rejected

Select the authorization method Use PHP code to assign a user role (Advanced) and use the following
code:
if (in_array('CN=Domain Admins,CN=Users,DC=Amigopod,DC=local', $user['memberof']))
return 4;
if (in_array('CN=Users,CN=Builtin,DC=Amigopod,DC=local', $user['memberof'])) return
5;
return false;
Explanation: During user authorization, the 'memberOf' attribute of the user (which will contain a list of
the groups to which the user belongs) is checked against the defined rules, and an appropriate role ID is
Amigopod 3.7 | Deployment Guide RADIUS Services | 103