NAC MAB and LDAP

Unanswered Question
May 29th, 2007
User Badges:

I am confused by configuring MAC authentication bypass with external LDAP database on CS-ACS v 4.1. (appliance)

Comunication with LDAP database looks OK, in the first step there is request for username with requested MAC address,

ACS gets back username,

the second step in request for group_name which includes this username. ACS again gets back answer with proper groupname

CN=Agentless_Hosts, but all this ends with error:

Access rejected due to authorization policy in the network access profiles

I have defined GroupName on ACS Agentless_Hosts with proper configuration. This Goup is used in

Authorizatyion rule of NAP for agentless hosts. (Tested with local database - all worked)


It seems to me that the string from LDAP server is not parsed to GroupName on ACS server.

May be problem could be in LDAP schema:

I use:

Base DN: CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ

MAC Addresses: CN=MAC Addresses,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ

MAC Groups: CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ


When I look in the packet with result from the second step I can see that ACS gets answer in form:

CN=Agentless_Hosts,CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ


Can somebody point me, what is wrong?

What ACS uses from LDAP string CN=Agentless_Hosts,CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ as GroupName

in Authorization rule of NAP?


Thank you for any help.


Regards


Pavel Navratil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion