NAC and host authentication in AD / LDAP

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gojericho0 Fri, 01/04/2008 - 05:25

Hi Jim,

Yes you can do this with MAC/IP filtering. If you want to do this globaly you can click on filtering when your first log into the CAM.

You then create a new filter that will assign specific MAC and/or IP address to a role e.g. Laptop and Desktop.

Now when ever a laptop or desktop connects to the network it will be placed in an appropriate role and you can create specific policy for that role just as you would for a default unauthenticated or quarantine role

wiluszm Fri, 01/04/2008 - 06:30


Interesting question, never thought of doing it that way. Here's what I can figure out so far. When using AD/LDAP for role mapping, you key off a "Search Filter" set under the Lookup Server configuration. Taking a look at my config, this is currently set as sAMAccountName=$user$ for my integration.

I've gone through our LDAP structure and looked at workstation CNs rather than user CNs. I see the following fields of interest:




Hrm.... looks like something. I think we're stuck though because the CAM forwards the user's username under the "Search Filter" setting. I'd check with TAC or wait for someone to come along from Cisco that can answer whether the Search Filter can be set to something like:


I think this would then be able to map attributes for that workstation that could be used for role mapping.

Just guessing here... hope this helps though.



This Discussion