Support User Manuals

Cisco Systems 4.2 Server User Manual

Open as PDF

of 214

6-12

Configuration Guide for Cisco Secure ACS 4.2

OL-14390-02

Chapter 6 Agentless Host Support Configuration Scenario

Basic Configuration Steps for Agentless Host Support

How the Subtrees Work

The sample LDAP schema in Example 6-1 contains code to define two subtrees:

dn: ou=MAC Addresses, ou=MAB Segment, o=mycorp

ou: MAC Addresses

objectClass: top

objectClass: organizationalUnit

dn: ou=MAC Groups, ou=MAB Segment, o=mycorp

ou: MAC Groups

objectClass: top

objectClass: organizationalUnit

The LDAP subtrees are:

• MAC Addresses—A user directory subtree that contains device records that specify MAC

addresses for agentless hosts (IEEE 802.1x devices that require agentless host authentication by

ACS).

When you specify a user directory subtree during LDAP configuration in the ACS user interface,

you enter the name assigned to the user directory subtree in your LDAP schema in the User

Directory Subtree text box.

• MAC Groups—A group directory subtree that contains LDAP user groups of users who connect

from specified MAC devices that are identified in the device records.

When you specify a group directory subtree during LDAP configuration in the ACS user interface,

you enter the name assigned to the group directory subtree in your LDAP schema in the Group

Directory Subtree text box.

How the LDAP User Groups Work

Each LDAP user group record sets up an LDAP user group that maps users connecting through one or

more devices to the specified group.

For example, the LDAP user group identified as cn=Group_1_colon sets up an LDAP user group that

will map users connecting from the host at 10.56.60.100 as well as from two other hosts:

dn: cn=Group_1_colon,ou=MAC Groups, ou=MAB Segment, o=mycorp

objectClass: top

objectClass: groupofuniquenames

description: group of delimited MAC Addresses

uniqueMember: cn=user00-wxp.emea.mycorp.com, ou=MAC Addresses, ou=MAB Segment,

o=mycorp

uniqueMember: cn=user77a-wxp.emea.mycorp.com, ou=MAC Addresses, ou=MAB Segment

, o=mycorp

uniqueMember: cn=user88-wxp.emea.mycorp.com, ou=MAC Addresses, ou=MAB Segment,

o=mycorp

cn: Group_1_colon

ACS queries the LDAP database to determine to which user groups to assign users who connect from a

host with a specified MAC address. ACS then assign users in the LDAP user group to a specified ACS

user group that you configure.

previous next