Specifications

Security Options 81

Chapter 5

authentication type, or the information may be learned from the authentication

server through an attribute. Any attribute may be used – the server rule

specifies how that attribute is mapped into a role or VLAN. Server rules are

executed in order, and multiple server rules may be configured for each

authentication server. To add a new server rule, click

Add.

FIGURE 5-15 Add LDAP Server Rule

Available configuration parameters are:

Rule Type – Specifies if the server rule is used to determine role assignment or

VLAN assignment.

Attribute – Specifies an attribute that will contain role or VLAN information.

Condition – Specifies how the system will match the attribute. If the condition

is set to “value-of”, the contents of the attribute will be treated literally as the

role or VLAN assignment. For example, if the attribute is set to “Filter-ID” and

the condition is set to “value-of”, the LDAP server will return the value of

“IT-Staff” in side the Filter-ID attribute to set the user’s role to “IT-Staff”.

Val ue – If the condition is set to any option other than “value-of”, the value

specifies what the contents of the attribute should be in order to match the

rule. For example, if the attribute is set to “Filter-ID”, the condition is set to

“equals”, and the value is set to “IT”, a role can be selected when the LDAP

server returns the Filter-ID attribute containing the value “IT”.

Role/VLAN – Specifies the role or VLAN that will be set if the rule is matched.

The equivalent CLI configuration for the example above is:

aaa derivation-rules server LDAP1 set role condition

"role" value-of