We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
Let say i've this situation:
1. User A has been assign to Vlan 15 Employee
2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
3. Now user A has their on Vlan ID 15
I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
Has any one has been configured mapping rules user roles to Active directory?
You can configure Cisco NAC Appliance to automatically authenticate Clean Access Agent users who are already logged into a Windows domain. AD SSO allows users logging into AD on their Windows systems to automatically go through posture assessment/Clean Access certification without ever having to login through the Agent. Cisco NAC Appliance supports Windows Single Sign-On (SSO) on Windows Vista/XP/2000 client machines and AD on Windows 2000/2003 servers
So you would create a mapping rule against your lookup server like so.
Say the AD group membership is "Finance"
for ADSSO you would apply the mapping rule to your LOOKUP Server
where the expression is
memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...