Cisco NAC Guest Server Installation and Configuration Guide, Release 1.1.2 - Configuring User Group Permissions [Cisco NAC Guest Server]

Table Of Contents

Configuring User Group Permissions

Adding User Groups

Editing User Groups

Deleting User Groups

Specifying the Order of User Groups

Mapping to Active Directory Groups

Mapping to LDAP Groups

Mapping to RADIUS Groups

Assigning Guest Roles

Configuring User Group Permissions

User groups are the method by which to assign permissions to the sponsors. You can set role-based permissions for sponsors to allow or restrict access to different functions, such as creating accounts, modifying accounts, generating reports, and sending account details to guests by email or SMS.

Once you have created a user group you should then create mapping rules to map the sponsor to a group based upon information returned from the authentication server such as Active Directory Group, LDAP Group membership, or RADIUS Class attribute.

Tip By default all users are assigned to the DEFAULT group. I f you only want to have a single classification of sponsors, you can edit the DEFAULT group.

This chapter describes the following:

•Adding User Groups

•Editing User Groups

•Deleting User Groups

•Specifying the Order of User Groups

•Mapping to Active Directory Groups

•Mapping to LDAP Groups

•Mapping to RADIUS Groups

•Assigning Guest Roles

Adding User Groups

You can create a new sponsor user group using the following steps.

Step 1 From the administration interface select Authentication > User Groups from the left hand menu (Figure 5-1).

Figure 5-1 User Groups

Step 2 Click the Add Group button to add a new user group.

Step 3 From the Add a New User Group page (Figure 5-2), enter the name for a new user group.

Figure 5-2 Add New User Group

Step 4 Click the Add Group button to add a user group. You can now edit the settings for the new user group. (Figure 5-3).

Figure 5-3 Edit New User Group

Step 5 Set Permissions for the new User Group as follows:

•Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Otherwise, select No.

•Create Account—Select Yes to allow sponsors to create guest accounts. Select No otherwise.

•Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. Otherwise, select No.

•Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing guests details. Otherwise, select No.

•Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. Otherwise, select No.

•Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user. Otherwise, select No.

•Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. Otherwise, select No.

•Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts:

–No—Sponsors are not allowed to edit any accounts.

–Own Account—Sponsors are allowed to edit only the accounts they created.

–All Accounts—Sponsors are allowed to edit any guest accounts.

•Suspend Account—Choose one of the following options for suspending accounts:

–No—Sponsors are not allowed to suspend any accounts.

–Own Account—Sponsors are allowed to suspend only the accounts they created.

–All Accounts—Sponsors are allowed to suspend any guest accounts.

•Active Accounts—Choose one of the following permissions for viewing reporting details for active accounts

–No—Sponsors are not allowed to view reporting details on any accounts.

–Own Account—Sponsors are allowed to view reporting details for only the accounts they created.

–All Accounts—Sponsors are allowed to view reporting details on any active guest accounts.

•Full Reporting—Choose one of the following permissions for running full reporting:

–No—Sponsors are not allowed to run full reporting on any accounts.

–Own Account—Sponsors are allowed to run full reporting for only the accounts they created.

–All Accounts—Sponsors are allowed to run full reporting on any active guest accounts.

•Number of days in the future—This specifies how long in the future that guests can create accounts. Specify the maximum number of days that they are allowed to create accounts in the future.

•Maximum duration of account—This specifies the maximum length (in days) that the sponsor can configure for an account.

•Show account dates as—This defines the method a sponsor can use to specify when an account is valid. There are two options:

–Start Date/End Date—The sponsor is shown a calendar they can use to specify the time and date an account starts and ends.

–Template Options—You can specify a list of preset durations that the sponsor can use when creating accounts, such as 1 hour, 1 day, or 3 days. If this is selected the template options are shown on the Create Guest page. The maximum template option cannot be greater than the value specified in the maximum duration.

Step 6 Click the Save Group button to add the group with the permissions specified.

Note Until you click the Save Group button on this screen, the group will not be created.

Step 7 Follow the instructions in Mapping to Active Directory Groups, Mapping to LDAP Groups or Mapping to RADIUS Groups so that you can correctly map users to your group based upon group information from the authentication server.

Editing User Groups

The following steps describe how to edit sponsor user groups.

Step 1 From the administration interface select Authentication > User Groups from the left hand menu.

Step 2 Select the group you wish to edit and click the Edit Group button (Figure 5-4).

Figure 5-4 Select the User group to Edit

Step 3 In the Edit an existing User Group page (Figure 5-5), change the settings for the group.

Figure 5-5 Edit User Group

Step 4 Edit Permissions for the User Group as follows:

•Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Otherwise, select No.

•Create Account—Select Yes to allow sponsors to create guest accounts. Otherwise, select No.

•Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. Otherwise, select No.

•Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing guests details. Otherwise, select No.

•Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. Otherwise, select No.

•Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user. Otherwise, select No.

•Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. Otherwise, select No.

•Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts:

–No—Sponsors are not allowed to edit any accounts.

–Own Account—Sponsors are allowed to edit only the accounts they created.

–All Accounts—Sponsors are allowed to edit any guest accounts.

•Suspend Account—Choose one of the following options for suspending accounts:

–No—Sponsors are not allowed to suspend any accounts.

–Own Account—Sponsors are allowed to suspend only the accounts they created.

–All Accounts—Sponsors are allowed to suspend any guest accounts.

•Active Accounts—Choose one of the following permissions for viewing reporting details for active accounts

–No—Sponsors are not allowed to view reporting details on any accounts.

–Own Account—Sponsors are allowed to view reporting details for only the accounts they created.

–All Accounts—Sponsors are allowed to view reporting details on any active guest accounts.

•Full Reporting—Choose one of the following permissions for running full reporting:

–No—Sponsors are not allowed to run full reporting on any accounts.

–Own Account—Sponsors are allowed to run full reporting for only the accounts they created.

–All Accounts—Sponsors are allowed to run full reporting on any active guest accounts.

•Number of days in the future—This specifies how long in the future that guests can create accounts. Specify the maximum number of days that they are allowed to create accounts in the future.

•Maximum duration of account—This specifies the maximum length (in days) that the sponsor can configure for an account.

•Show account dates as—This defines the method a sponsor can use to specify when an account is valid. There are two options:

–Start Date/End Date—The sponsor is shown a calendar they can use to specify the time and date an account starts and ends.

–Template Options—You can specify a list of preset durations that the sponsor can use when creating accounts, such as 1 hour, 1 day, or 3 days. If this is selected the template options are shown on the Create Guest page. The maximum template option cannot be greater than the value specified in the maximum duration.

Step 5 Click the Save Group button to save the changes to the group.

Step 6 Follow the instruction in Mapping to Active Directory Groups, Mapping to LDAP Groups or Mapping to RADIUS Groups so that you can correctly map users to your group based upon group information from the authentication server.

Deleting User Groups

Step 1 From the administration interface select Authentication > User Groups from the left hand menu.

Figure 5-6 List Groups to Delete

Step 2 Select the group you wish to delete and click the Delete Group button (Figure 5-6).

Step 3 Confirm deletion at the prompt.

Note If any Local Users are part of this group, you must delete the user before deleting the user group. Alternatively, you can move Local Users to another group to "empty" it before deleting the user group.

Specifying the Order of User Groups

When a sponsor logs in to the Cisco NAC Guest Server, the system checks each group in turn to see if the sponsor should be given the privileges of that group. The groups are processed in the order in which they appear in the User Groups list box (Figure 5-7). If a user does not match a user group, they are given the privileges of the DEFAULT group.

Step 1 From the administration interface select Authentication > User Groups from the left hand menu.

Figure 5-7 Order User Groups

Step 2 Select the group you wish to order and click the up or down button until the group is in position (Figure 5-7).

Step 3 Repeat for all groups until they appear in the order you require.

Step 4 Click the Change Order button to save the order.

Mapping to Active Directory Groups

If a sponsor authenticates to the Cisco NAC Guest Server using Active Directory authentication, the Cisco NAC Guest Server can map them into a user group by their membership in Active Directory groups.

Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member of.

If you have configured AD authentication (as described in Configuring Active Directory (AD) Authentication, page 4-5), then the Guest Server automatically retrieves a list of all the groups configured within all the AD servers configured.

Selecting an Active Directory Group from the dropdown provides all sponsor users who are in this AD group the permissions of this group.

Step 1 Select Active Directory Mapping from the top menu when in the add user group or edit user group screen.

Figure 5-8 Active Directory Group Mapping

Step 2 Select the group you wish to match against and click the Assign Group button.

Note By default, Active Directory only returns a maximum of 1000 groups in response to a Cisco NAC Guest Server search. If you have more than 1000 groups and have not increased the LDAP search size, it is possible that the group you want to match will not appear. In this situation, you can manually enter the group name in the Active Directory Group combo box.

Mapping to LDAP Groups

If a sponsor authenticates to the Cisco NAC Guest Server using LDAP authentication, the Cisco NAC Guest Server can map them into a user group by their membership of LDAP groups.

Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member of.

Based on the settings of the LDAP server that you authenticate against, the Cisco NAC Guest Server uses one of two methods for mapping the sponsor using group information.

There are two main methods that LDAP servers use for assigning users to groups:

1. Storing the group membership in an attribute of the user object. With this method the user object has one or more attributes that list the groups that the user is a member of. If your LDAP server uses this method of storing group membership then you need to enter the name of the attribute which holds the groups the user is a member of.

2. Storing the user membership in an attribute of the group object. With this method there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method then you need to specify the group to check under the LDAP mapping section of a User Group you want to match the user to.

When you define the LDAP server you will have specified one of these options.

If the LDAP server supports the first option then you will have to specify to check the user attribute for a certain string.

If the LDAP server supports the second option then you will need to enter the full DN of the group you want to check membership of. The Cisco NAC Guest Server will then look in the attribute to make sure that it contains the name of the user who has logged in.

Step 1 Select LDAP Mapping from the top menu when in the add user group or edit user group screen (Figure 5-9).

Figure 5-9 LDAP Group Mapping

Step 2 If your LDAP server uses user attributes to store group membership, enter the group name to check and specify either contains or equals the text string.

Note If using contains the string then the LDAP server must have wildcard searches enabled.

Step 3 If your LDAP server stores group membership in the group object then specify the full DN of the group you want to check and the name of the attribute that will be checked for the sponsors username.

Step 4 Click the Assign Attributes button to save the LDAP group mapping.

Note You can specify both options for the same group. The option that you check depends on the setting on the LDAP server with which the sponsor successfully authenticates.

Mapping to RADIUS Groups

If a sponsor authenticates to the Cisco NAC Guest Server using RADIUS authentication then the Cisco NAC Guest Server can map them into a user group by using information returned to the Cisco NAC Guest Server in the authentication request.

The information must be placed into the class attribute on the RADIUS server.

Step 1 Select Radius Mapping from the top menu when in the add user group or edit user group page (Figure 5-10).

Figure 5-10 RADIUS Group Mapping

Step 2 Enter the string you want to match against the class attribute that is returned in the RADIUS authentication reply. You can specify from the drop-down if you want to exactly match the string (equals the string) or match a substring (contains the string).

Step 3 Click the Assign Group button.

Assigning Guest Roles

Guest Roles allow a sponsor to assign a different level of access to a guest account. You can choose which sponsor user groups are allowed to assign certain roles to guests.

By default, a user group has the ability to assign guests to the default role. The administrator can choose which additional groups the sponsor can assign, or can remove the default role from the user group.

Each user group must have the ability to assign guest to at least one role.

If a user group has only one role selected, the sponsor does not see an option to select the role. If they have the ability to choose more than one role, they see a dropdown menu asking which role to put the account into on the account creation screen.

Step 1 Select Roles from the top menu when in the add user group or edit user group page (Figure 5-11).

Figure 5-11 Roles

Step 2 The roles that the sponsor user group has permission to assign are displayed in the Selected Roles list. Move the roles between the Available Roles and Selected Roles lists using the arrow buttons.

Step 3 Click the Submit button to assign the permission to create guests in the roles to the user group.

	Cisco NAC Guest Server Installation and Configuration Guide, Release 1.1.2
	Configuring User Group Permissions
Cisco NAC Guest Server Installation and Configuration Guide, Release 1.1.2 About This Guide Welcome to Cisco NAC Guest Server Installing Cisco NAC Guest Server System Setup Configuring Sponsor Authentication Configuring User Group Permissions Configuring Guest Policies Integrating with Cisco NAC Appliance Configuring RADIUS Clients Guest Account Notification Customizing the Application Backup and Restore Replication and High Availability Logging and Troubleshooting Licensing Sponsor Documentation Open Source License Acknowledgements	Download this chapter Configuring User Group Permissions Download the complete book Version 1.1.2 Book-Length PDF (PDF - 4 MB) Table Of Contents Configuring User Group Permissions Adding User Groups Editing User Groups Deleting User Groups Specifying the Order of User Groups Mapping to Active Directory Groups Mapping to LDAP Groups Mapping to RADIUS Groups Assigning Guest Roles Configuring User Group Permissions User groups are the method by which to assign permissions to the sponsors. You can set role-based permissions for sponsors to allow or restrict access to different functions, such as creating accounts, modifying accounts, generating reports, and sending account details to guests by email or SMS. Once you have created a user group you should then create mapping rules to map the sponsor to a group based upon information returned from the authentication server such as Active Directory Group, LDAP Group membership, or RADIUS Class attribute. Tip By default all users are assigned to the DEFAULT group. I f you only want to have a single classification of sponsors, you can edit the DEFAULT group. This chapter describes the following: •Adding User Groups •Editing User Groups •Deleting User Groups •Specifying the Order of User Groups •Mapping to Active Directory Groups •Mapping to LDAP Groups •Mapping to RADIUS Groups •Assigning Guest Roles Adding User Groups You can create a new sponsor user group using the following steps. Step 1 From the administration interface select Authentication > User Groups from the left hand menu (Figure 5-1). Figure 5-1 User Groups Step 2 Click the Add Group button to add a new user group. Step 3 From the Add a New User Group page (Figure 5-2), enter the name for a new user group. Figure 5-2 Add New User Group Step 4 Click the Add Group button to add a user group. You can now edit the settings for the new user group. (Figure 5-3). Figure 5-3 Edit New User Group Step 5 Set Permissions for the new User Group as follows: •Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Otherwise, select No. •Create Account—Select Yes to allow sponsors to create guest accounts. Select No otherwise. •Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. Otherwise, select No. •Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing guests details. Otherwise, select No. •Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. Otherwise, select No. •Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user. Otherwise, select No. •Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. Otherwise, select No. •Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts: –No—Sponsors are not allowed to edit any accounts. –Own Account—Sponsors are allowed to edit only the accounts they created. –All Accounts—Sponsors are allowed to edit any guest accounts. •Suspend Account—Choose one of the following options for suspending accounts: –No—Sponsors are not allowed to suspend any accounts. –Own Account—Sponsors are allowed to suspend only the accounts they created. –All Accounts—Sponsors are allowed to suspend any guest accounts. •Active Accounts—Choose one of the following permissions for viewing reporting details for active accounts –No—Sponsors are not allowed to view reporting details on any accounts. –Own Account—Sponsors are allowed to view reporting details for only the accounts they created. –All Accounts—Sponsors are allowed to view reporting details on any active guest accounts. •Full Reporting—Choose one of the following permissions for running full reporting: –No—Sponsors are not allowed to run full reporting on any accounts. –Own Account—Sponsors are allowed to run full reporting for only the accounts they created. –All Accounts—Sponsors are allowed to run full reporting on any active guest accounts. •Number of days in the future—This specifies how long in the future that guests can create accounts. Specify the maximum number of days that they are allowed to create accounts in the future. •Maximum duration of account—This specifies the maximum length (in days) that the sponsor can configure for an account. •Show account dates as—This defines the method a sponsor can use to specify when an account is valid. There are two options: –Start Date/End Date—The sponsor is shown a calendar they can use to specify the time and date an account starts and ends. –Template Options—You can specify a list of preset durations that the sponsor can use when creating accounts, such as 1 hour, 1 day, or 3 days. If this is selected the template options are shown on the Create Guest page. The maximum template option cannot be greater than the value specified in the maximum duration. Step 6 Click the Save Group button to add the group with the permissions specified. Note Until you click the Save Group button on this screen, the group will not be created. Step 7 Follow the instructions in Mapping to Active Directory Groups, Mapping to LDAP Groups or Mapping to RADIUS Groups so that you can correctly map users to your group based upon group information from the authentication server. Editing User Groups The following steps describe how to edit sponsor user groups. Step 1 From the administration interface select Authentication > User Groups from the left hand menu. Step 2 Select the group you wish to edit and click the Edit Group button (Figure 5-4). Figure 5-4 Select the User group to Edit Step 3 In the Edit an existing User Group page (Figure 5-5), change the settings for the group. Figure 5-5 Edit User Group Step 4 Edit Permissions for the User Group as follows: •Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Otherwise, select No. •Create Account—Select Yes to allow sponsors to create guest accounts. Otherwise, select No. •Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. Otherwise, select No. •Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing guests details. Otherwise, select No. •Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. Otherwise, select No. •Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user. Otherwise, select No. •Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. Otherwise, select No. •Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts: –No—Sponsors are not allowed to edit any accounts. –Own Account—Sponsors are allowed to edit only the accounts they created. –All Accounts—Sponsors are allowed to edit any guest accounts. •Suspend Account—Choose one of the following options for suspending accounts: –No—Sponsors are not allowed to suspend any accounts. –Own Account—Sponsors are allowed to suspend only the accounts they created. –All Accounts—Sponsors are allowed to suspend any guest accounts. •Active Accounts—Choose one of the following permissions for viewing reporting details for active accounts –No—Sponsors are not allowed to view reporting details on any accounts. –Own Account—Sponsors are allowed to view reporting details for only the accounts they created. –All Accounts—Sponsors are allowed to view reporting details on any active guest accounts. •Full Reporting—Choose one of the following permissions for running full reporting: –No—Sponsors are not allowed to run full reporting on any accounts. –Own Account—Sponsors are allowed to run full reporting for only the accounts they created. –All Accounts—Sponsors are allowed to run full reporting on any active guest accounts. •Number of days in the future—This specifies how long in the future that guests can create accounts. Specify the maximum number of days that they are allowed to create accounts in the future. •Maximum duration of account—This specifies the maximum length (in days) that the sponsor can configure for an account. •Show account dates as—This defines the method a sponsor can use to specify when an account is valid. There are two options: –Start Date/End Date—The sponsor is shown a calendar they can use to specify the time and date an account starts and ends. –Template Options—You can specify a list of preset durations that the sponsor can use when creating accounts, such as 1 hour, 1 day, or 3 days. If this is selected the template options are shown on the Create Guest page. The maximum template option cannot be greater than the value specified in the maximum duration. Step 5 Click the Save Group button to save the changes to the group. Step 6 Follow the instruction in Mapping to Active Directory Groups, Mapping to LDAP Groups or Mapping to RADIUS Groups so that you can correctly map users to your group based upon group information from the authentication server. Deleting User Groups Step 1 From the administration interface select Authentication > User Groups from the left hand menu. Figure 5-6 List Groups to Delete Step 2 Select the group you wish to delete and click the Delete Group button (Figure 5-6). Step 3 Confirm deletion at the prompt. Note If any Local Users are part of this group, you must delete the user before deleting the user group. Alternatively, you can move Local Users to another group to "empty" it before deleting the user group. Specifying the Order of User Groups When a sponsor logs in to the Cisco NAC Guest Server, the system checks each group in turn to see if the sponsor should be given the privileges of that group. The groups are processed in the order in which they appear in the User Groups list box (Figure 5-7). If a user does not match a user group, they are given the privileges of the DEFAULT group. Step 1 From the administration interface select Authentication > User Groups from the left hand menu. Figure 5-7 Order User Groups Step 2 Select the group you wish to order and click the up or down button until the group is in position (Figure 5-7). Step 3 Repeat for all groups until they appear in the order you require. Step 4 Click the Change Order button to save the order. Mapping to Active Directory Groups If a sponsor authenticates to the Cisco NAC Guest Server using Active Directory authentication, the Cisco NAC Guest Server can map them into a user group by their membership in Active Directory groups. Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member of. If you have configured AD authentication (as described in Configuring Active Directory (AD) Authentication, page 4-5), then the Guest Server automatically retrieves a list of all the groups configured within all the AD servers configured. Selecting an Active Directory Group from the dropdown provides all sponsor users who are in this AD group the permissions of this group. Step 1 Select Active Directory Mapping from the top menu when in the add user group or edit user group screen. Figure 5-8 Active Directory Group Mapping Step 2 Select the group you wish to match against and click the Assign Group button. Note By default, Active Directory only returns a maximum of 1000 groups in response to a Cisco NAC Guest Server search. If you have more than 1000 groups and have not increased the LDAP search size, it is possible that the group you want to match will not appear. In this situation, you can manually enter the group name in the Active Directory Group combo box. Mapping to LDAP Groups If a sponsor authenticates to the Cisco NAC Guest Server using LDAP authentication, the Cisco NAC Guest Server can map them into a user group by their membership of LDAP groups. Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member of. Based on the settings of the LDAP server that you authenticate against, the Cisco NAC Guest Server uses one of two methods for mapping the sponsor using group information. There are two main methods that LDAP servers use for assigning users to groups: 1. Storing the group membership in an attribute of the user object. With this method the user object has one or more attributes that list the groups that the user is a member of. If your LDAP server uses this method of storing group membership then you need to enter the name of the attribute which holds the groups the user is a member of. 2. Storing the user membership in an attribute of the group object. With this method there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method then you need to specify the group to check under the LDAP mapping section of a User Group you want to match the user to. When you define the LDAP server you will have specified one of these options. If the LDAP server supports the first option then you will have to specify to check the user attribute for a certain string. If the LDAP server supports the second option then you will need to enter the full DN of the group you want to check membership of. The Cisco NAC Guest Server will then look in the attribute to make sure that it contains the name of the user who has logged in. Step 1 Select LDAP Mapping from the top menu when in the add user group or edit user group screen (Figure 5-9). Figure 5-9 LDAP Group Mapping Step 2 If your LDAP server uses user attributes to store group membership, enter the group name to check and specify either contains or equals the text string. Note If using contains the string then the LDAP server must have wildcard searches enabled. Step 3 If your LDAP server stores group membership in the group object then specify the full DN of the group you want to check and the name of the attribute that will be checked for the sponsors username. Step 4 Click the Assign Attributes button to save the LDAP group mapping. Note You can specify both options for the same group. The option that you check depends on the setting on the LDAP server with which the sponsor successfully authenticates. Mapping to RADIUS Groups If a sponsor authenticates to the Cisco NAC Guest Server using RADIUS authentication then the Cisco NAC Guest Server can map them into a user group by using information returned to the Cisco NAC Guest Server in the authentication request. The information must be placed into the class attribute on the RADIUS server. Step 1 Select Radius Mapping from the top menu when in the add user group or edit user group page (Figure 5-10). Figure 5-10 RADIUS Group Mapping Step 2 Enter the string you want to match against the class attribute that is returned in the RADIUS authentication reply. You can specify from the drop-down if you want to exactly match the string (equals the string) or match a substring (contains the string). Step 3 Click the Assign Group button. Assigning Guest Roles Guest Roles allow a sponsor to assign a different level of access to a guest account. You can choose which sponsor user groups are allowed to assign certain roles to guests. By default, a user group has the ability to assign guests to the default role. The administrator can choose which additional groups the sponsor can assign, or can remove the default role from the user group. Each user group must have the ability to assign guest to at least one role. If a user group has only one role selected, the sponsor does not see an option to select the role. If they have the ability to choose more than one role, they see a dropdown menu asking which role to put the account into on the account creation screen. Step 1 Select Roles from the top menu when in the add user group or edit user group page (Figure 5-11). Figure 5-11 Roles Step 2 The roles that the sponsor user group has permission to assign are displayed in the Selected Roles list. Move the roles between the Available Roles and Selected Roles lists using the arrow buttons. Step 3 Click the Submit button to assign the permission to create guests in the roles to the user group.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.