01-17-2009 03:42 AM - edited 02-21-2020 03:13 AM
I have a scenario where NAC is to be deployed in a University for staff and students. so i have created two roles Staff and Student. There are 2 AD (Primary and secondary) each for staff and student.
Question 1
Is that possible to define 2 AD for SSO for student and staff?
Question 2
how would i do role mapping for staff and student.
Can i specified the role in the Auth Server--> Auth-tye ADSSO --> Default Role--Staff for Staff AD.
similarly for Student AD change the Default role to Student.
Should it work?
Or Can i assign the role to the users based on their Vlan ID but for that do i have to specify the ldap server in LookUp Server Tab.?
01-23-2009 02:30 PM
The Mapping Rules forms can be used to map users into user role(s) based on these parameters:
The VLAN ID of user traffic that originates from the untrusted side of the CAS (all auth server types)
Authentication attributes passed from LDAP and RADIUS auth servers (and RADIUS attributes passed from Cisco VPN Concentrators)
For example, if you have two sets of users on the same IP subnet but with different network access privileges, such as wireless employees and students, you can use an attribute from an LDAP server to map one set of users into a particular user role. You can then create traffic policies to allow network access to one role and deny network access to other roles.
01-25-2009 03:43 AM
the student and the staff are in different vlan and have different subnets. and i donot want to use ldap for mapping user role. Can i do it by vlan id. do you have any configuration steps.
01-25-2009 11:36 PM
yes, but there is a catch.
The VLAN id used for the mapping rules is the Authentication VLAN id, which in turn is defined in the port profiles.
So you will have to make at least 2 port profiles(1x Students, 1x Staff) and assign the profiles to the correct switch ports used by the corresponding group of users.
If you are using fixed workstations for youre staff this would be an ok solution, however LDAP remains the more flexible/dynamic option.
You can also use LDAP to identify youre staff users and put everyone for who the LDAP does not work in a student role.
01-26-2009 12:19 AM
Thanks for your reply. One imp point regading your above point is
I am doing Inband virtual gateway. Port Porfiles are generally configured for OOB. so will role mapping be done by just VLAN ID in Inband VIrtual gateway mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide