Hello,
I will just clarify Zdenek's response for future use:
The 802.1x LDAP host group rule solution requires a placeholder rule because DHCP/DNS must perform specific actions before the rule can work.
The LDAP host group rule works like this:
In order to match the "LDAP host group rule" criteria of "exists" the NAC must perform an LDAP lookup of the FQDN of the end system the result of the query will satisfy the "exists" criteria.
In order to know the FQDN of the end system for lookup to the Active Directory the NAC must be able to perform a reverse DNS lookup of the IP address of the end system, and have DNS respond back with the FQDN of the device.
In order for the NAC to know the IP address to perform the reverse DNS lookup, the NAC must complete IP to MAC resolution
In order for the NAC to complete MAC to IP address resolution the client has to have an IP address.
In order for the client to have an IP address it must have received an authorization from a _Previous authentication_ that allows it to receive an IP address.
The role of the placeholder rule is so that an unknown client can get on the network, obtain an IP address, complete the process, and if it matches the LDAP host group rule criteria it will get elevated access. Without the placeholder the client could fall into a rule that gives no access to DHCP and the entire solution will generally not work. They only need to have DHCP/DNS access.
The entire LDAP host group rule criteria process flow is the following:
1. Client connects to network
2. NAC bypasses rule with "LDAP host group criteria" and matches the placeholder (which has DNS/DHCP allowed)
3. Client completes authentication/authorization and gets an IP address, DHCP updates DNS with new reverse record for the client
4. NAC sees DHCP request and updates hostname with the hostname, but NOT the FQDN (generally)
5. NAC completes MAC to IP resolution
6. NAC attempts a reverse DNS lookup using the obtained IP address
7. DNS returns FQDN of the end system
8 NAC updates hostname field with FQDN of the end system
9 NAC internally decides to re-auth the client (Logic in the system kicks in if LDAP host group rule is in use and the hostname field changes causing a decision to re-auth)
10. Client is disconnect/re-auths (accordingly) and new authentication event occurs
11. NAC can then use the known FQDN of the end system to perform and LDAP lookup to match the "LDAP host group" criteria and the user will get elevated access.
This generally only happens the first time a client is connected and seen, or if for any reason we lose the FQDN of the end system.
Thanks
-Ryan