Specifications

7-32

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 7 User Management: Configuring Authentication Servers

Map Users to Roles Using Attributes or VLAN IDs

VLAN IDs to map users into user roles. Mapping rules can be created for a range of VLAN IDs, and

attribute matches can be made case-insensitive. This allows multiple conditions to be flexibly configured

for a mapping rule.

A mapping rule comprises an auth provider type, a rule expression, and the user role into which to map

the user. The rule expression comprises one or a combination of conditions the user parameters must

match to be mapped into the specified user role. A condition is comprised of a condition type, a source

attribute name, an operator, and the attribute value against which the particular attribute is matched.

To create a mapping rule you first add (save) conditions to configure a rule expression, then once a rule

expression is created, you can add the mapping rule to the auth server for the specified user role.

Mapping rules can be cascading. If a source has more than one mapping rule, the rules are evaluated in

the order in which they appear in the mapping rules list. The role for the first positive mapping rule is

used. Once a rule is met, other rules are not tested. If no rule is true, the default role for that

authentication source is used.

Configure Mapping Rule

1. Do one of the following:

• Go to User Management > Auth Servers > Mapping Rules and click the Add Mapping Rule link

for the authentication server,

• Click the Mapping icon for the auth server under User Management > Auth Servers > List

(Figure 7-23), then click the Add Mapping Rule link for the auth server (Figure 7-24).

Figure 7-23 List of Auth Servers