NAC LDAP User Search Root

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi 

I am trying to intergrate NAC into AD using LDAP.
When adding the LDAP server you must specify a "User Sear Root".
Does this location have to be a OU?
The client I am configuring this for utilizes Security Groups, If I look at the attributes for the security group it looks as follows: CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z, Nac reports success but the user group is empty.


If is use a OU group i works fine.

Any idea?

Thx
Andre
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,020 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,710 Points 2k badge 2x thumb
Andre,

The User Search Root will be the root node of the LDAP hierarchy that has all User DN's that you would need too be able to see with LDAP. If you're just trying to make sure a user is in a security group to access the wireless, you should create a rule that checks an LDAP End System group where the user has a memberOf attribute equal to CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z. If it doesn't match, then they would not match the rule.

Does that help at all?

Tyler
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
Yeah, NAC just does a text match on attributes of the user LDAP returns. Notably, this means you can't match a parent group using the LDAP control like this:
(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=x)
Photo of Bill Handler

Bill Handler

  • 1,224 Points 1k badge 2x thumb

Andre,

In your LDAP configuration, use:  DC=X,DC=Y,DC=Z for the user, host and ou search roots, then test.