01-03-2008 08:01 AM - edited 02-21-2020 10:20 AM
Hi,
We're using AD SSO, is it possible to choose a role based on the host rather than the user.
For example some users have desktops and laptops but each run different software so will need separate policies.
Is this possible using AD/LDAP?
Thanks.
Jim.
01-04-2008 05:25 AM
Hi Jim,
Yes you can do this with MAC/IP filtering. If you want to do this globaly you can click on filtering when your first log into the CAM.
You then create a new filter that will assign specific MAC and/or IP address to a role e.g. Laptop and Desktop.
Now when ever a laptop or desktop connects to the network it will be placed in an appropriate role and you can create specific policy for that role just as you would for a default unauthenticated or quarantine role
01-04-2008 05:29 AM
Thanks,
That's what I've started doing. Is there any way of doing this with AD/LDAP?
Jim.
01-04-2008 06:30 AM
Jim,
Interesting question, never thought of doing it that way. Here's what I can figure out so far. When using AD/LDAP for role mapping, you key off a "Search Filter" set under the Lookup Server configuration. Taking a look at my config, this is currently set as sAMAccountName=$user$ for my integration.
I've gone through our LDAP structure and looked at workstation CNs rather than user CNs. I see the following fields of interest:
dNSHostName=host.company.com
sAMAccountName=host$
cn=host
name=host
Hrm.... looks like something. I think we're stuck though because the CAM forwards the user's username under the "Search Filter" setting. I'd check with TAC or wait for someone to come along from Cisco that can answer whether the Search Filter can be set to something like:
sAMAccountName=$hostname$
I think this would then be able to map attributes for that workstation that could be used for role mapping.
Just guessing here... hope this helps though.
-Mike
01-04-2008 07:35 AM
Thanks Mike,
Yeah I think the credentials are user based, presumably the hostname could be sent by the Agent but what's to this being spoofed?
Same with MAC addresses but at least they are a bit more obscure.
If there's a Cisco bod about I'd like some sort of confirmation.
Thanks.
Jim.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: