Active Directory group issue after applying 5.5.3

Don Duvall_1 · ‎10-31-2011

This all seemed to work fine on 5.5.1 but had to upgrade to 5.5.3 due to a AP firmware corruption issue I was having under 5.5.1 that was slowly killing my APs.

The problem I'm seeing is as follows. 2 VSCs defined, SECURE and GUEST. SECURE is authentication only, authenticating over 802.1x against AD. Guest is authentication and access control authenticating over http also against AD.

SECURE - VSC configured for auth over 802.1x, users are member of HP_SECURE group in AD

GUEST - VSC configured for auth/access control over http, users are member of HP_GUEST group in AD

If a user is a member of one or the other group then the coresponding VSC works perfectly fine. The problem is when a user is a member of BOTH of the created AD groups. When a user is a member of both then the group on the top of the list in the "Active directory settings" page at Controller -> Authentication -> Active Directory works, but no other group works. Basically it seems that if a user is a member of 2 groups where one group is set for "Access Control" and the second group is NOT set for "Access Control" then whichever group is at the top of the list will work.

I can replicate this very easily by adding a user to both groups, then that user can only authenticate if the group is at the top of the "Active Directory Settings" list. If the user is removed from either group and is left with only one group defined in the AD Settings list then the respective VSC works fine.

Is this a known issue or just how it all works under 5.5.3 now?

ISoliman · ‎11-02-2011

As per the manuals this is the normal behavior, check below from the "Managment and Configuration Guide" please:

Once a user is authenticated by Active Directory, the controller retrieves the names of all
the active directory groups of which the user is a member.
 If the user is a member of only one Active Directory group, and that group name appears in the list, the controller applies the attributes from that group.
 If the user is a member of more than one Active Directory group, the controller applies the attributes from the matching group name with the highest priority (highest in the list).

If no match is found, the attributes defined for one of the default groups are applied as follows:
 If the VSC the user logged in on is access-controlled then the Default AC Active Directory group is used.
 If the VSC the user logged in on is not access-controlled then the Default non AC Active Directory group is used.

Does that confirm your findings ? ;)

Kind Regards,

Islam

Don Duvall_1 · ‎11-03-2011

Sorry, I should have mentioned that I have read the documentation and found that exact entry.

I'll refine my question, here we go.

If a user is a member of 2 groups, one group being assigned to a access-controlled VSC and another group being assigned a non-AC VSC, will that user only ever be able to join whichever VSC is in the top of the list? If this is the case, then this is working as designed?

I think it's kind of funny that in this situation a user would be completely excluded from using a VSC that they are clearly a member of through no fault of that group or how it was setup. Being a member 2 groups I'd think should give access to any VSCs they are bound to, regardless if either are access controlled or not or the order in the group list. If I setup 2 VSCs with corresponding groups, one access controlled for guest usage and general Internet surfing and the other one setup for secure 802.1x authentication and no access control, then you will only ever be able to use the VSC that is highest in the list, the other VSC in the second spot on the list will give you an access denied message.

Weird.

Active Directory group issue after applying 5.5.3

Active Directory group issue after applying 5.5.3

Re: Active Directory group issue after applying 5.5.3

Re: Active Directory group issue after applying 5.5.3

Hewlett Packard Enterprise International