Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
4
Replies

NAC and host authentication in AD / LDAP

j.jeater
Level 1
Level 1

‎01-03-2008 08:01 AM - edited ‎02-21-2020 10:20 AM

Hi,

We're using AD SSO, is it possible to choose a role based on the host rather than the user.

For example some users have desktops and laptops but each run different software so will need separate policies.

Is this possible using AD/LDAP?

Thanks.

Jim.

Labels:
0 Helpful
4 Replies 4

gojericho0
Level 1
Level 1

‎01-04-2008 05:25 AM

Hi Jim,

Yes you can do this with MAC/IP filtering. If you want to do this globaly you can click on filtering when your first log into the CAM.

You then create a new filter that will assign specific MAC and/or IP address to a role e.g. Laptop and Desktop.

Now when ever a laptop or desktop connects to the network it will be placed in an appropriate role and you can create specific policy for that role just as you would for a default unauthenticated or quarantine role

0 Helpful

j.jeater
Level 1
Level 1
In response to gojericho0

‎01-04-2008 05:29 AM

Thanks,

That's what I've started doing. Is there any way of doing this with AD/LDAP?

Jim.

0 Helpful

wiluszm
Level 1
Level 1
In response to j.jeater

‎01-04-2008 06:30 AM

Jim,

Interesting question, never thought of doing it that way. Here's what I can figure out so far. When using AD/LDAP for role mapping, you key off a "Search Filter" set under the Lookup Server configuration. Taking a look at my config, this is currently set as sAMAccountName=$user$ for my integration.

I've gone through our LDAP structure and looked at workstation CNs rather than user CNs. I see the following fields of interest:

dNSHostName=host.company.com

sAMAccountName=host$

cn=host

name=host

Hrm.... looks like something. I think we're stuck though because the CAM forwards the user's username under the "Search Filter" setting. I'd check with TAC or wait for someone to come along from Cisco that can answer whether the Search Filter can be set to something like:

sAMAccountName=$hostname$

I think this would then be able to map attributes for that workstation that could be used for role mapping.

Just guessing here... hope this helps though.

-Mike

http://cs-mars.blogspot.com

0 Helpful

j.jeater
Level 1
Level 1
In response to wiluszm

‎01-04-2008 07:35 AM

Thanks Mike,

Yeah I think the credentials are user based, presumably the hostname could be sent by the Agent but what's to this being spoofed?

Same with MAC addresses but at least they are a bit more obscure.

If there's a Cisco bod about I'd like some sort of confirmation.

Thanks.

Jim.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents