Integrate NAC Appliance with Active Directory

Unanswered Question
Aug 20th, 2008

We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.

The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.

The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.

Let say i've this situation:

1. User A has been assign to Vlan 15 Employee

2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background

3. Now user A has their on Vlan ID 15

I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...

Has any one has been configured mapping rules user roles to Active directory?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Tue, 08/26/2008 - 13:32

You can configure Cisco NAC Appliance to automatically authenticate Clean Access Agent users who are already logged into a Windows domain. AD SSO allows users logging into AD on their Windows systems to automatically go through posture assessment/Clean Access certification without ever having to login through the Agent. Cisco NAC Appliance supports Windows Single Sign-On (SSO) on Windows Vista/XP/2000 client machines and AD on Windows 2000/2003 servers

oranggil78 Tue, 08/26/2008 - 19:09

Yes, definitely.... but the question is how to mapping user roles to Active Directory account? example User A is on Finance Group at AD, and user A only allow to Vlan 15...

The configuration on CAM is in User management > Auth Server > Mapping rules...

ROBERT WATSON Wed, 08/27/2008 - 07:18

So you would create a mapping rule against your lookup server like so.

Say the AD group membership is "Finance"

for ADSSO you would apply the mapping rule to your LOOKUP Server

where the expression is

memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration

Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

Actions

This Discussion