https://community.extremenetworks.com/t5/extremewireless-identifi/nac-ldap-user-search-root/m-p/40296#M2640 Andre,<BR /> <BR /> The User Search Root will be the root node of the LDAP hierarchy that has all User DN's that you would need too be able to see with LDAP. If you're just trying to make sure a user is in a security group to access the wireless, you should create a rule that checks an LDAP End System group where the user has a memberOf attribute equal to CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z. If it doesn't match, then they would not match the rule.<BR /> <BR /> Does that help at all?<BR /> <BR /> Tyler<BR /> <BR /> Tue, 31 May 2016 21:54:00 GMT TylerMarcotte 2016-05-31T21:54:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/nac-ldap-user-search-root/m-p/40295#M2639 Hi <BR /> <BR /> I am trying to intergrate NAC into AD using LDAP.<BR /> When adding the LDAP server you must specify a "User Sear Root".<BR /> Does this location have to be a OU?<BR /> The client I am configuring this for utilizes Security Groups, If I look at the attributes for the security group it looks as follows: CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z, Nac reports success but the user group is empty.<BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="57ab8800f3354e90b56efb729006bbb9_RackMultipart20160531-109816-5xmx7l-ldap1_inline.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/2076i66272EB5E35014D0/image-size/large?v=v2&amp;px=999" role="button" title="57ab8800f3354e90b56efb729006bbb9_RackMultipart20160531-109816-5xmx7l-ldap1_inline.jpg" alt="57ab8800f3354e90b56efb729006bbb9_RackMultipart20160531-109816-5xmx7l-ldap1_inline.jpg" /></span></P><BR /> <BR /> If is use a OU group i works fine.<BR /> <BR /> Any idea?<BR /> <BR /> Thx<BR /> Andre Tue, 31 May 2016 17:47:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/nac-ldap-user-search-root/m-p/40295#M2639 Andre_Brits_Kan 2016-05-31T17:47:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/nac-ldap-user-search-root/m-p/40296#M2640 Andre,<BR /> <BR /> The User Search Root will be the root node of the LDAP hierarchy that has all User DN's that you would need too be able to see with LDAP. If you're just trying to make sure a user is in a security group to access the wireless, you should create a rule that checks an LDAP End System group where the user has a memberOf attribute equal to CN=Wireless Users,OU=Security Groups,OU=Global Services,DC=X,DC=Y,DC=Z. If it doesn't match, then they would not match the rule.<BR /> <BR /> Does that help at all?<BR /> <BR /> Tyler<BR /> <BR /> Tue, 31 May 2016 21:54:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/nac-ldap-user-search-root/m-p/40296#M2640 TylerMarcotte 2016-05-31T21:54:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/nac-ldap-user-search-root/m-p/40298#M2642 Andre,<BR /> <BR /> In your LDAP configuration, use: DC=X,DC=Y,DC=Z for the user, host and ou search roots, then test.<BR /> <BR /> Thu, 02 Jun 2016 16:30:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/nac-ldap-user-search-root/m-p/40298#M2642 Bill_Handler 2016-06-02T16:30:00Z