Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Role Mapping in NAC

I have a scenario where NAC is to be deployed in a University for staff and students. so i have created two roles Staff and Student. There are 2 AD (Primary and secondary) each for staff and student.

Question 1

Is that possible to define 2 AD for SSO for student and staff?

Question 2

how would i do role mapping for staff and student.

Can i specified the role in the Auth Server--> Auth-tye ADSSO --> Default Role--Staff for Staff AD.

similarly for Student AD change the Default role to Student.

Should it work?

Or Can i assign the role to the users based on their Vlan ID but for that do i have to specify the ldap server in LookUp Server Tab.?


Re: Role Mapping in NAC

The Mapping Rules forms can be used to map users into user role(s) based on these parameters:

The VLAN ID of user traffic that originates from the untrusted side of the CAS (all auth server types)

Authentication attributes passed from LDAP and RADIUS auth servers (and RADIUS attributes passed from Cisco VPN Concentrators)

For example, if you have two sets of users on the same IP subnet but with different network access privileges, such as wireless employees and students, you can use an attribute from an LDAP server to map one set of users into a particular user role. You can then create traffic policies to allow network access to one role and deny network access to other roles.

New Member

Re: Role Mapping in NAC

the student and the staff are in different vlan and have different subnets. and i donot want to use ldap for mapping user role. Can i do it by vlan id. do you have any configuration steps.

New Member

Re: Role Mapping in NAC

yes, but there is a catch.

The VLAN id used for the mapping rules is the Authentication VLAN id, which in turn is defined in the port profiles.

So you will have to make at least 2 port profiles(1x Students, 1x Staff) and assign the profiles to the correct switch ports used by the corresponding group of users.

If you are using fixed workstations for youre staff this would be an ok solution, however LDAP remains the more flexible/dynamic option.

You can also use LDAP to identify youre staff users and put everyone for who the LDAP does not work in a student role.

New Member

Re: Role Mapping in NAC

Thanks for your reply. One imp point regading your above point is

I am doing Inband virtual gateway. Port Porfiles are generally configured for OOB. so will role mapping be done by just VLAN ID in Inband VIrtual gateway mode.