Cisco ACS 4.0 - NAC with Machine authentication

thult · ‎05-10-2006

The first step of our NAC implementation would be to segment our network in two VLAN´s. One production network and one consultant network.

Is it possible to check the Windows XP client´s active directory domain membership and segment them only based on this information? (with no software client installed on any client)

For instance: When a client that is member of the PROD domain connects to the switch it should be redirected to the PROD-VLAN and when another client NOT belonging to the PROD domain connects it should be redirected to the Consultant VLAN.

We run ACS version 4.0 on a Windows 2003 domain controller. Our LAN is based on Catalyst 3560 and 2950 switches.

darpotter · ‎05-11-2006

Hi

I could see several ways to achieve this.

1) Use 2 NAPs that trigger off the domain name contained in the User-Name attribute. Each NAP then assigns the appropriate VLAN.

2) Use a single NAP with the RADIUS authorisation setup to map from PROD and CONS ACS groups to Shared RACs containing the vlan ids.

Neither of these are fantastic since

1) May not work with Identity protection (where the real userid is hidden)

2) You need a way to map from domain to ACS group. Probably the only way would be to create 2 additional AD groups for each vlan then put users into one or the other. But then you'd loose other forms of group mapping (eg Admins, Consultants, Part time etc)

Darran

Rutger Blom · ‎05-11-2006

I don't see why you should use NAC to achieve this.

You can just enable 802.1x on your clients and switches. Configure an AD database connection in your ACS and use group mappings. In the different ACS groups you can then configure different VLANs.

Rutger

darpotter · ‎05-11-2006

You're right.. they dont *need* NAC - but if you re-read the posting it says they are going to implement NAC but right now they are rolling out 802.1x as a first stage.

Darran