https://community.cisco.com/t5/network-access-control/seperate-ad-users-to-different-authorization/m-p/2001669#M182106 <HTML><HEAD></HEAD><BODY><P>If there is no group or attribute in AD to define the conditions then need to create conditions based on username</P><P></P><P>There are two attributes that can use</P><P>- User-Name attribute in RADIUS IETF dictionary; this is username as presented in original RADIUS request</P><P>- UserName attribute in System dictionary</P><P></P><P>For protocol like PAP this will be the same; however for protocols where for example the initial username is presented as anonymous then the UserName attribute will contain the actual user name after all the prococol negociation and session establishment</P><P></P><P>So in general is always best to use the attribute in the system dictionary</P><P></P><P>Can select this as a contion by pressing "Customize" and selecting "System:UserName" as the condition</P><P></P><P>There needs to be one rule per user; with large numbers does not scale as well as group or attribute based rules</P></BODY></HTML> Fri, 01 Jun 2012 15:41:15 GMT jrabinow 2012-06-01T15:41:15Z https://community.cisco.com/t5/network-access-control/seperate-ad-users-to-different-authorization/m-p/2001668#M182100 <P>Hi all,</P><P></P><P></P><P>Here is my another question after the command set. How to seperate the AD users for different authorization instead of using AD group? i currently do now is using AD group to control a few users for the authorization on the switch. However, customer requested for different AD users need have different authorization. Any idea for this? </P><P></P><P></P><P>thanks and regards</P><P>Jim</P> Mon, 11 Mar 2019 02:09:18 GMT https://community.cisco.com/t5/network-access-control/seperate-ad-users-to-different-authorization/m-p/2001668#M182100 siangyankhoo 2019-03-11T02:09:18Z https://community.cisco.com/t5/network-access-control/seperate-ad-users-to-different-authorization/m-p/2001669#M182106 <HTML><HEAD></HEAD><BODY><P>If there is no group or attribute in AD to define the conditions then need to create conditions based on username</P><P></P><P>There are two attributes that can use</P><P>- User-Name attribute in RADIUS IETF dictionary; this is username as presented in original RADIUS request</P><P>- UserName attribute in System dictionary</P><P></P><P>For protocol like PAP this will be the same; however for protocols where for example the initial username is presented as anonymous then the UserName attribute will contain the actual user name after all the prococol negociation and session establishment</P><P></P><P>So in general is always best to use the attribute in the system dictionary</P><P></P><P>Can select this as a contion by pressing "Customize" and selecting "System:UserName" as the condition</P><P></P><P>There needs to be one rule per user; with large numbers does not scale as well as group or attribute based rules</P></BODY></HTML> Fri, 01 Jun 2012 15:41:15 GMT https://community.cisco.com/t5/network-access-control/seperate-ad-users-to-different-authorization/m-p/2001669#M182106 jrabinow 2012-06-01T15:41:15Z