Cisco NAC Appliance SSO AD by OU (Organization Unit) is posible?

Alvaro Perez Unzueta · ‎07-07-2011

Hello, I have a question. it is posible implement NAC Appliance SSO AD VG/Real IP - L2/L3 for OU (Organization Unit), for example; if i have OU sales and OU market in the windows domain X. it is posible restrict the police and assign diferent network (10.1.1.0/24 for OU sales and 10.1.2.0/24 for OU market).

Regards

Alvaro

Tarik Admani · ‎07-07-2011

Yes that is possible, first you will create a user role for the two seperate OU, then you assign a user role vlan to each role. then you will have to create a ldap lookup server. You will then create a attribute condition which will map users that are a memberOf xxx to user role yyy.

this is for out of band scearios because the clients at first will get the same authenticaiton ip address but after the port is switched over then the ip address they get after will be based off the vlans they land on.

let me know if you need anything else.

Tarik

vlmacko · ‎07-11-2011

Hi Tarik,

what about the case, that there is OOB virtual-gateway design ?

there is no IP segment change after authentication and "health check" finished.

How system allocate authentication and data vlan (and appropriate IP segment) based on AD parameter ?

Thnaks a lot,

Vladimir

Tarik Admani · ‎07-14-2011

Vladimir,

This will be based on your ldap mapping to user role mapping, within your user role you can assign users to a different role, so when the port profile is configured for your switch ports you can choose to assign the vlan based on user role vlan.

thanks,

Tarik