Yeah, you can't do any mappings using the old WinNT method of
authentication. Best bet would probably be to try LDAP.
Nate
Miller, Paul wrote:
> It's setup as Windows NT authentication. When I try and add a mapping
> the only option I get is for Vlan ID. When we first setup Clean Access
> this was the only option that would work for us. Looks like I may have
> to change that.
>
> Paul Miller
> Network Administrator
> Dominican University
> 708-524-6641
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Nathaniel Austin
> Sent: Friday, April 18, 2008 10:51 AM
> To: [log in to unmask]
> Subject: Re: Block user
>
> Is it an AD-SSO, LDAP, or Kerberos Auth server?
>
> If AD-SSO or LDAP you could create a mapping rule on his/her user name.
>
> Nate
>
> Miller, Paul wrote:
>
>> This would be fine. I'm not sure how to do this. I have a "Problem
>> Role" setup, but can't figure out how to put a single AD authenticated
>> user in that role.
>>
>>
>> Paul Miller
>> Network Administrator
>> Dominican University
>> 708-524-6641
>>
>> -----Original Message-----
>> From: Cisco Clean Access Users and Administrators
>> [mailto:[log in to unmask]] On Behalf Of Ben Fielden
>> Sent: Friday, April 18, 2008 10:09 AM
>> To: [log in to unmask]
>> Subject: Re: Block user
>>
>> Yea, I'm with Greg on this. How would you know whose permissions to
>> apply if they have yet to log in?
>>
>> Here at GW we do two tiers of blocking. If we get a notification that
>> the user needs to be turned off (disciplinary action, legal action,
>>
> etc)
>
>> than their account gets the problem role and their only access is to
>>
> an
>
>> "Access Denied - Call Student Technology Services" site. If the issue
>>
> is
>
>> the machine that they're on (bandwidth use, file sharing, security
>>
> issue
>
>> of some kind, etc) than the MAC gets filtered in the manager to use
>>
> that
>
>> same role and they only get access to that same site. Sometimes both
>>
> of
>
>> these methods have to be applied together if a user gets his/her
>> roommate to login for them.
>>
>> Ben Fielden
>> Student Technology Services
>> The George Washington University
>>
>> Greg Schaffer wrote:
>>
>>
>>> I think by definition the user has to authenticate ("log in") so as
>>>
> to
>
>>>
>>>
>>
>>
>>> identify a restricted role the user can then be placed in. If the
>>>
> user
>
>>>
>>>
>>
>>
>>> doesn't log in, how would you know what user to apply policy to?
>>>
>>> Greg
>>>
>>> Greg Schaffer, CISSP
>>>
>>> Director of Network Services
>>>
>>> Middle Tennessee State University
>>>
>>>
>>>
>>>
> ------------------------------------------------------------------------
>
>>
>>
>>> *From:* Cisco Clean Access Users and Administrators
>>> [mailto:[log in to unmask]] *On Behalf Of *Miller, Paul
>>> *Sent:* Friday, April 18, 2008 9:22 AM
>>> *To:* [log in to unmask]
>>> *Subject:* Block user
>>>
>>> Can anyone tell me if there is a way to restrict a user from logging
>>> in to Clean Access. I noticed that I can restrict a device, but no
>>> options for a user.
>>>
>>> Paul Miller
>>>
>>> Network Administrator
>>>
>>> Dominican University
>>>
>>> River Forest, IL
>>>
>>> 708-524-6641
>>>
>>>
>>>
|