I am confused by configuring MAC authentication bypass with external LDAP database on CS-ACS v 4.1. (appliance)
Comunication with LDAP database looks OK, in the first step there is request for username with requested MAC address,
ACS gets back username,
the second step in request for group_name which includes this username. ACS again gets back answer with proper groupname
CN=Agentless_Hosts, but all this ends with error:
Access rejected due to authorization policy in the network access profiles
I have defined GroupName on ACS Agentless_Hosts with proper configuration. This Goup is used in
Authorizatyion rule of NAP for agentless hosts. (Tested with local database - all worked)
It seems to me that the string from LDAP server is not parsed to GroupName on ACS server.
May be problem could be in LDAP schema:
I use:
Base DN: CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ
MAC Addresses: CN=MAC Addresses,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ
MAC Groups: CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ
When I look in the packet with result from the second step I can see that ACS gets answer in form:
CN=Agentless_Hosts,CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ
Can somebody point me, what is wrong?
What ACS uses from LDAP string CN=Agentless_Hosts,CN=MAC Groups,CN=MAB Segment,CN=VSCHT_Net,DC=VSCHT,DC=CZ as GroupName
in Authorization rule of NAP?
Thank you for any help.
Regards
Pavel Navratil