Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC and host authentication in AD / LDAP

Hi,

We're using AD SSO, is it possible to choose a role based on the host rather than the user.

For example some users have desktops and laptops but each run different software so will need separate policies.

Is this possible using AD/LDAP?

Thanks.

Jim.

4 REPLIES
Bronze

Re: NAC and host authentication in AD / LDAP

Hi Jim,

Yes you can do this with MAC/IP filtering. If you want to do this globaly you can click on filtering when your first log into the CAM.

You then create a new filter that will assign specific MAC and/or IP address to a role e.g. Laptop and Desktop.

Now when ever a laptop or desktop connects to the network it will be placed in an appropriate role and you can create specific policy for that role just as you would for a default unauthenticated or quarantine role

Community Member

Re: NAC and host authentication in AD / LDAP

Thanks,

That's what I've started doing. Is there any way of doing this with AD/LDAP?

Jim.

Bronze

Re: NAC and host authentication in AD / LDAP

Jim,

Interesting question, never thought of doing it that way. Here's what I can figure out so far. When using AD/LDAP for role mapping, you key off a "Search Filter" set under the Lookup Server configuration. Taking a look at my config, this is currently set as sAMAccountName=$user$ for my integration.

I've gone through our LDAP structure and looked at workstation CNs rather than user CNs. I see the following fields of interest:

dNSHostName=host.company.com

sAMAccountName=host$

cn=host

name=host

Hrm.... looks like something. I think we're stuck though because the CAM forwards the user's username under the "Search Filter" setting. I'd check with TAC or wait for someone to come along from Cisco that can answer whether the Search Filter can be set to something like:

sAMAccountName=$hostname$

I think this would then be able to map attributes for that workstation that could be used for role mapping.

Just guessing here... hope this helps though.

-Mike

http://cs-mars.blogspot.com

Community Member

Re: NAC and host authentication in AD / LDAP

Thanks Mike,

Yeah I think the credentials are user based, presumably the hostname could be sent by the Agent but what's to this being spoofed?

Same with MAC addresses but at least they are a bit more obscure.

If there's a Cisco bod about I'd like some sort of confirmation.

Thanks.

Jim.

229
Views
0
Helpful
4
Replies
CreatePlease to create content