Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
261262263264265266267268269270
7-31
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 7 User Management: Configuring Authentication Servers
Map Users to Roles Using Attributes or VLAN IDs
Map Users to Roles Using Attributes or VLAN IDs
The Mapping Rules forms can be used to map users into user role(s) based on the following parameters:
The VLAN ID of user traffic originating from the untrusted side of the CAS (all auth server types)
Note Only Layer 2 Adjacency mode is supported.
Authentication attributes passed from LDAP and RADIUS auth servers (and RADIUS attributes
passed from Cisco VPN Concentrators)
Note You cannot reliably use the “memberOf” attribute to determine the user’s Primary Group in
an LDAP Active Directory group membership query. You must use a workaround method to
be able to map the user’s Primary Group VLAN ID, based on Active Directory group
membership.
For more information, see the following Microsoft Knowledge Base articles:
http://support.microsoft.com/kb/275523
http://support.microsoft.com/kb/321360
For example, if you have two sets of users on the same IP subnet but with different network access
privileges (e.g. wireless employees and students), you can use an attribute from an LDAP server to map
one set of users into a particular user role. You can then create traffic policies to allow network access
to one role and deny network access to other roles. (See Chapter 8, “User Management: Traffic Control,
Bandwidth, Schedule” for details on traffic policies.)
Cisco NAC Appliance performs the mapping sequence as shown in Figure 7-22.
Figure 7-22 Mapping Rules
Note For an overview of how mapping rules fit into the scheme of user roles, see Figure 6-1Normal Login
User Roles, page 6-3.
Cisco NAC Appliance allows the administrator to specify complex Boolean expressions when defining
mapping rules for Kerberos, LDAP and RADIUS authentication servers. Mapping rules are broken down
into conditions and you can use Boolean expressions to combine multiple user attributes and multiple
user enters
credentials
valid
credentials?
mapping
rules?
match rules &
assign role
assign default
role for auth
server
no
no
yes yes
184072