Header Only - DO NOT REMOVE - Extreme Networks

NAC LDAP User Search Root


Userlevel 5
Hi

I am trying to intergrate NAC into AD using LDAP.
When adding the LDAP server you must specify a "User Sear Root".
Does this location have to be a OU?
The client I am configuring this for utilizes Security Groups, If I look at the attributes for the security group it looks as follows: CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z, Nac reports success but the user group is empty.



If is use a OU group i works fine.

Any idea?

Thx
Andre

3 replies

Userlevel 4
Andre,

The User Search Root will be the root node of the LDAP hierarchy that has all User DN's that you would need too be able to see with LDAP. If you're just trying to make sure a user is in a security group to access the wireless, you should create a rule that checks an LDAP End System group where the user has a memberOf attribute equal to CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z. If it doesn't match, then they would not match the rule.

Does that help at all?

Tyler
Tyler Marcotte wrote:

Andre,

The User Search Root will be the root node of the LDAP hierarchy that has all User DN's that you would need too be able to see with LDAP. If you're just trying to make sure a user is in a security group to access the wireless, you should create a rule that checks an LDAP End System group where the user has a memberOf attribute equal to CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z. If it doesn't match, then they would not match the rule.

Does that help at all?

Tyler

Yeah, NAC just does a text match on attributes of the user LDAP returns. Notably, this means you can't match a parent group using the LDAP control like this:
code:
(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=x)
[/code]
Userlevel 3
Andre,

In your LDAP configuration, use: DC=X,DC=Y,DC=Z for the user, host and ou search roots, then test.

Reply