Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

261

262

263

264

265

266

267

268

269

270

7-34

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 7 User Management: Configuring Authentication Servers

Map Users to Roles Using Attributes or VLAN IDs

conditions, instead of associating attribute types to attribute values, you choose two existing

conditions to associate together, which become Left and Right Operands for the compound

statement.

3. Attribute Name—Depending on the context, this field appears as follows:

–

For a VLAN ID condition type (Figure 7-26), this field is called Property Name and is

populated by default with “VLAN ID” (and disabled for editing).

–

For LDAP servers (Figure 7-27), Attribute Name is a text field into which you type the source

attribute you want to test. The name must be identical (case-sensitive) to the name of the

attribute passed by the authentication source, unless you choose the equals ignore case operator

to create the condition.

Note You cannot reliably use the “memberOf” attribute to determine the user’s Primary

Group in an LDAP Active Directory Group membership query. Therefore, you must use

a workaround method to be able to map the user’s Primary Group VLAN ID, based on

Active Directory group membership.

For more information, see the following Microsoft Knowledge Base articles:

http://support.microsoft.com/kb/275523

http://support.microsoft.com/kb/321360

–

For Cisco VPN servers, Attribute Name is a dropdown menu (Figure 7-30) with the following

options: Class, Framed_IP_Address, NAS_IP_Address, NAS_Port, NAS_Port_Type,

User_Name, Tunnel_Client_Endpoint, Service_Type, Framed_Protocol, Acct_Authentic

4. For RADIUS servers (Figure 7-28), the Condition fields are populated differently:

–

Vendor—Choose Standard, Cisco, Microsoft, or WISPr (Wireless Internet Service Provider

roaming) from the dropdown menu.

–

Attribute Name—Choose from the set of attributes for each Vendor from the dropdown menu.

For example, Standard has 253 attributes (Figure 7-31), Cisco has 30 attributes (Figure 7-32),

Microsoft has 32 attributes (Figure 7-33), and WISPr has 11 attributes (Figure 7-33).

Note For RADIUS servers, only attributes returned in the “access-accept” packet are used for

mapping.

–

Data Type—(Optional) You can optionally specify Integer or String according to the value

passed by the Attribute Name. If no data type is specified, Default is used.

5. Attribute Value—Type the value to be tested against the source Attribute Name.

6. Operator (Attribute)—Choose the operator that defines the test of the source attribute string.

–

equals – True if the value of the Attribute Name matches the Attribute Value.

–

not equals – True if the value of the Attribute Name does not match the Attribute Value.

–

contains– True if the value of the Attribute Name contains the Attribute Value.

–

starts with – True if the value of the Attribute Name begins with the Attribute Value.

–

ends with – True if the value of the Attribute Name ends with the Attribute Value.

–

equals ignore case – True if the value of the Attribute Name matches the Attribute Value

string, regardless of whether the string is uppercase or lowercase.