Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

211

212

213

214

215

216

217

218

219

220

6-4

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 6 User Management: Configuring User Roles and Local Users

Create User Roles

Normal Login Role

There can be multiple normal login roles (including “restricted access” roles) in the system. A user is

put into a normal login role after a successful login. You can configure normal login roles to associate

users with the following:

• Network access traffic control policies—what parts of the network and which application ports can

users can access while in the role.

• VLAN ID:

–

For In-Band users, retag traffic (to/from users in the role) destined to the trusted network to

differentiate priority to the upstream router.

–

For Out-of-Band (OOB) users, set the Access VLAN ID for users in the role if using role-based

configuration.

• Cisco NAC Appliance network scanning plugins—the Nessus port scanning to perform, if any.

• Agent requirements—the software package requirements client systems must have.

• End-user HTML page(s) displayed after successful or unsuccessful web logins —the pages and

information to show to web login users in various subnets/VLANs/roles. See Chapter 5,

“Configuring User Login Page and Guest Access” for further details.

Typically, there are a number of normal login roles in a deployment, for example roles for Students,

Faculty, and Staff (or Engineering, HR, Sales). You can assign normal login roles to users in several

ways:

• By the MAC address or subnet of a client device.

You can assign a role to a device or subnet through Device Management > Filters. See Global

Device and Subnet Filtering, page 2-10 for details.

• By local user attributes. Local users are primarily used for testing and are authenticated internally

by the Clean Access Manager rather than an external authentication server. You can assign a role to

a local user through User Roles > Local Users. See Create Local User Accounts, page 6-15.

• By external authentication server attributes. For users validated by an external authentication server,

the role assigned can be based on:

–

The untrusted network VLAN ID of the user.

This allows you to use untrusted network information to map users into a user role.

–

The authentication attributes passed from LDAP and RADIUS authentication servers.

This allows you to use authentication attributes to map different users to different roles within

Cisco NAC Appliance. If no mapping rules are specified, users are assigned the default role

specified for the authentication server, after login. VLAN mapping and attribute mapping is

done through User Management > Auth Servers > Mapping Rules.

For details, see Adding an Authentication Provider, page 7-4 and Map Users to Roles Using

Attributes or VLAN IDs, page 7-31.

Role Assignment Priority

Note that the order of priority for role assignment is as follows:

1. MAC address

2. Subnet / IP Address

3. Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)