Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
1
Replies

Seperate AD users to different authorization

siangyankhoo
Level 1
Level 1

‎05-31-2012 07:47 PM - edited ‎03-10-2019 07:09 PM

Hi all,

Here is my another question after the command set. How to seperate the AD users for different authorization instead of using AD group? i currently do now is using AD group to control a few users for the authorization on the switch. However, customer requested for different AD users need have different authorization. Any idea for this?

thanks and regards

Jim

Labels:
0 Helpful
1 Reply 1

jrabinow
Level 7
Level 7

‎06-01-2012 08:41 AM

If there is no group or attribute in AD to define the conditions then need to create conditions based on username

There are two attributes that can use

- User-Name attribute in RADIUS IETF dictionary; this is username as presented in original RADIUS request

- UserName attribute in System dictionary

For protocol like PAP this will be the same; however for protocols where for example the initial username is presented as anonymous then the UserName attribute will contain the actual user name after all the prococol negociation and session establishment

So in general is always best to use the attribute in the system dictionary

Can select this as a contion by pressing "Customize" and selecting "System:UserName" as the condition

There needs to be one rule per user; with large numbers does not scale as well as group or attribute based rules

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents