Filter
Top Products
6-2
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 6 Agentless Host Support Configuration Scenario
Overview of Agentless Host Support
3. If you configure ACS for MAB, it searches the authentication database for the host’s MAC address
The database can be:
–
ACS internal
–
LDAP (if you configure LDAP)
4. During the database lookup:
–
ACS looks up the MAC address in an identity store (the internal ACS database or an LDAP
database).
–
ACS maps the MAC address to an ACS user group.
–
If ACS finds the MAC address, ACS associates the access request to an ACS user group.
–
If ACS does not find the MAC address, ACS assigns the access request to a default group that
has been configured for failed MAB. At this stage, ACS proceeds with authorization as for all
other access requests.
–
The expected value in the calling-station-id attribute is a MAC address; however, if the
attribute contains a different value (IP address), ACS looks for the IP address in the access
database
–
ACS applies authorization rules based on the user group and associated policies that a Network
Access Profile contains.
Figure 6-1 shows the flow of MAB information.
Figure 6-1 MAB Flow
Using Audit Servers and GAME Group Feedback
You can configure ACS to use audit servers. An audit server is a device that checks the information that
the NAD provides against a list of predetermined device types.
The audit server can categorize an end device and provide additional information to ACS. ACS can then
make a group assignment decision based on the categorization of the device. For example, if the device
is a printer, ACS can assign the device to a user group that includes printers.
In a Cisco Network Admission Control (NAC) environment, ACS supports audit server authentication
by enabling Generic Authorization Message Exchange (GAME) group feedback.
Agentless host
MAC address MAC address
Service-type-10
Request: MAC address lookup
Response: MAC address exists + user group
ACS
LDAP
NAD
158372