Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Seperate AD users to different authorization

Hi all,

Here is my another question after the command set. How to seperate the AD users for different authorization instead of using AD group? i currently do now is using AD group to control a few users for the authorization on the switch. However, customer requested for different AD users need have different authorization. Any idea for this?

thanks and regards


Everyone's tags (4)
Cisco Employee

Seperate AD users to different authorization

If there is no group or attribute in AD to define the conditions then need to create conditions based on username

There are two attributes that can use

- User-Name attribute in RADIUS IETF dictionary; this is username as presented in original RADIUS request

- UserName attribute in System dictionary

For protocol like PAP this will be the same; however for protocols where for example the initial username is presented as anonymous then the UserName attribute will contain the actual user name after all the prococol negociation and session establishment

So in general is always best to use the attribute in the system dictionary

Can select this as a contion by pressing "Customize" and selecting "System:UserName" as the condition

There needs to be one rule per user; with large numbers does not scale as well as group or attribute based rules

CreatePlease login to create content