Cisco Cisco Clean Access 3.5
6-18
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 6 User Management: Auth Servers
Map Users to Roles Using Attributes or VLAN IDs
Map Users to Roles Using Attributes or VLAN IDs
The Mapping Rules form can be used to map users into a user role based on the following parameters:
•
The VLAN ID of user traffic originating from the untrusted side of the CAS (all auth server types)
•
Authentication attributes passed from LDAP and RADIUS auth servers (and RADIUS attributes
passed from Cisco VPN Concentrators)
passed from Cisco VPN Concentrators)
For example, if you have two sets of users on the same IP subnet but with different network access
privileges (e.g. wireless employees, and students), you can use an attribute from an LDAP server to map
one set of users into a particular user role. You can then create traffic policies to allow network access
to one role and deny network access to other roles. (See
privileges (e.g. wireless employees, and students), you can use an attribute from an LDAP server to map
one set of users into a particular user role. You can then create traffic policies to allow network access
to one role and deny network access to other roles. (See
for details on traffic policies.)
Cisco Clean Access performs the mapping sequence as shown in
Figure 6-12
Mapping Rules
Note
For an overview of how mapping rules fit into the scheme of user roles, see
Cisco Clean Access (release 3.5.1 and above) allows the administrator to specify complex boolean
expressions when defining mapping rules for Kerberos, LDAP and RADIUS authentication servers.
Mapping rules are broken down into conditions and you can use boolean expressions to combine
multiple user attributes and multiple VLAN IDs to map users into user roles. Mapping rules can be
created for a range of VLAN IDs, and attribute matches can be made case-insensitive. This allows
multiple conditions to be flexibly configured for a mapping rule.
expressions when defining mapping rules for Kerberos, LDAP and RADIUS authentication servers.
Mapping rules are broken down into conditions and you can use boolean expressions to combine
multiple user attributes and multiple VLAN IDs to map users into user roles. Mapping rules can be
created for a range of VLAN IDs, and attribute matches can be made case-insensitive. This allows
multiple conditions to be flexibly configured for a mapping rule.
A mapping rule comprises an auth provider type, a rule expression, and the user role into which to map
the user. The rule expression comprises one or a combination of conditions the user parameters must
match to be mapped into the specified user role. A condition is comprised of a condition type, a source
attribute name, an operator, and the attribute value against which the particular attribute is matched.
the user. The rule expression comprises one or a combination of conditions the user parameters must
match to be mapped into the specified user role. A condition is comprised of a condition type, a source
attribute name, an operator, and the attribute value against which the particular attribute is matched.
To create a mapping rule you first add (save) conditions to configure a rule expression, then once a rule
expression is created, you can add the mapping rule to the auth server for the specified user role.
expression is created, you can add the mapping rule to the auth server for the specified user role.
Mapping rules can be cascading. If a source has more than one mapping rule, the rules are evaluated in
the order in which they appear in the mapping rules list. The role for the first positive mapping rule is
used. Once a rule is met, other rules are not tested. If no rule is true, the default role for that
authentication source is used.
the order in which they appear in the mapping rules list. The role for the first positive mapping rule is
used. Once a rule is met, other rules are not tested. If no rule is true, the default role for that
authentication source is used.
user enters
credentials
valid
credentials?
mapping
rules?
match rules &
assign role
assign default
role for auth
server
yes
no
yes
no