The first step of our NAC implementation would be to segment our network in two VLAN´s. One production network and one consultant network.
Is it possible to check the Windows XP client´s active directory domain membership and segment them only based on this information? (with no software client installed on any client)
For instance: When a client that is member of the PROD domain connects to the switch it should be redirected to the PROD-VLAN and when another client NOT belonging to the PROD domain connects it should be redirected to the Consultant VLAN.
We run ACS version 4.0 on a Windows 2003 domain controller. Our LAN is based on Catalyst 3560 and 2950 switches.
Re: Cisco ACS 4.0 - NAC with Machine authentication
I could see several ways to achieve this.
1) Use 2 NAPs that trigger off the domain name contained in the User-Name attribute. Each NAP then assigns the appropriate VLAN.
2) Use a single NAP with the RADIUS authorisation setup to map from PROD and CONS ACS groups to Shared RACs containing the vlan ids.
Neither of these are fantastic since
1) May not work with Identity protection (where the real userid is hidden)
2) You need a way to map from domain to ACS group. Probably the only way would be to create 2 additional AD groups for each vlan then put users into one or the other. But then you'd loose other forms of group mapping (eg Admins, Consultants, Part time etc)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...