Cisco Systems OL-24201-01 Camera Accessories User Manual


 
8-40
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Number of Subjects: 100
Number of Directory Groups: 6
Figure 8-7 Test Configuration Dialog Box
Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC
Profiler (actual devices enabled for Profiler).
After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch
using SNMP to gather MIB (Management Information Base) information about the switch as well as the
connecting endpoint.
After the Profiler has learned about the endpoint (e.g. MAC address, switch port), it adds the endpoint
to its database. An endpoint added to the Profiler’s database is considered 1 subject.
Number of Directory Groups—This value maps to the actual profiles enabled for LDAP on Profiler.
When already running Profiler on your network, default profiles for endpoints are pre-configured.
However, all profiles are not enabled for LDAP, and must be configured as described in Configuring
Endpoint Profiles in NAC Profiler for LDAP Authentication, page 8-36. Note that if setting up Profiler
for the first time, once the Profiler is up and running, you will see zero groups initially.
Note The subjects and directory groups are listed if they are less than 100 in number. If the number of subjects
or directory groups exceed 100, the subjects and directory groups are not listed. Instead, you get a
message similar to the following one:
More than 100 subjects are found.
Step 8 Click the Directory Attributes tab if you want to use the directory attributes of subject records as policy
conditions in policy rules. See Viewing LDAP Attributes, page 8-34 for more information.
Step 9 Choose NAC Profiler as the result (Identity Source) of the identity policy. For more information, see
Viewing Identity Policies, page 10-21.
As soon as Endpoint is successfully authenticated from ACS server, ACS will do a CoA (Change of
Authorization) and change VLAN. For this, you can configure static VLAN mapping in ACS server. For
more information, see Specifying Common Attributes in Authorization Profiles, page 9-19.
When Endpoint is successfully authenticated the following message is displayed on the switch.
ACCESS-Switch# #show authentication sessions
Interface MAC Address Method Domain Status Session ID
Fa1/0/1 0014.d11b.aa36 mab DATA Authz Success 505050010000004A0B41FD15