For example, to implement the following configuration:
Members of the Domain Admins group should be mapped to RADIUS role ID 4
Members of the Users group should be mapped to RADIUS role ID 5
All other users should be rejected
Select the authorization method Use PHP code to assign a user role (Advanced) and use the following
code:
if (in_array('CN=Domain Admins,CN=Users,DC=server,DC=local', $user['memberof']))
return 4;
if (in_array('CN=Users,CN=Builtin,DC=server,DC=local', $user['memberof'])) return 5;
return false;
Explanation: During user authorization, the 'memberOf' attribute of the user (which will contain a list of
the groups to which the user belongs) is checked against the defined rules, and an appropriate role ID is
returned. If no match is found, false is returned, which means that authorization fails and the user's Access-
Request will be rejected.
The in_array() comparison is done in a case-sensitive manner. Be sure to use the correct case as returned
by the LDAP query for the group name. Also note that the complete distinguished name (DN) for the group
must be specified, as this is the value checked for in the array of values returned for the 'memberOf'
attribute.
The primary group of a user assigned in Active Directory cannot be checked in this way, as Active Directory
does not return the primary group in the values of the 'memberOf' attribute. You can build logic that uses
the $user['primarygroupid'] property instead to work around this issue.
Testing External Authentication Servers
The Test Authentication option for a server may be used to check the connection to an authentication
server, or verify the authorization rules that have been configured. To test an authentication server, click its
Test Authentication link on the Edit Authentication Server form. The server's row expands to include the
Test Authentication form.
1. In the Test Username and Test Password fields, enter the information for a user's credentials stored
on the server.
2. (Optional) To view additional details—for example, authentication rules, or account status or permitted
limits—mark the Show detailed authorization info check box in the Advanced row.
3. Click the Run Test button. A progress bar is shown during the test, and results are displayed below the
Test Authentication form.
174
| RADIUS Services
ClearPass Guest 3.9 | Deployment Guide
Need help?
Do you have a question about the PowerConnect W Clearpass 100 Software and is the answer not in the manual?