NAC LDAP User Search Root

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered

I am trying to intergrate NAC into AD using LDAP.
When adding the LDAP server you must specify a "User Sear Root".
Does this location have to be a OU?
The client I am configuring this for utilizes Security Groups, If I look at the attributes for the security group it looks as follows: CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z, Nac reports success but the user group is empty.

If is use a OU group i works fine.

Any idea?

Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,288 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb

The User Search Root will be the root node of the LDAP hierarchy that has all User DN's that you would need too be able to see with LDAP. If you're just trying to make sure a user is in a security group to access the wireless, you should create a rule that checks an LDAP End System group where the user has a memberOf attribute equal to CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z. If it doesn't match, then they would not match the rule.

Does that help at all?

Photo of James A

James A, Embassador

  • 7,204 Points 5k badge 2x thumb
Yeah, NAC just does a text match on attributes of the user LDAP returns. Notably, this means you can't match a parent group using the LDAP control like this:
Photo of Bill Handler

Bill Handler

  • 1,414 Points 1k badge 2x thumb


In your LDAP configuration, use:  DC=X,DC=Y,DC=Z for the user, host and ou search roots, then test.