8-35
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and I dentity Stores
Managing External Identity Stores
This means the switch port to which these devices attach cannot authenticate them using the 802.1X
exchange of device or user credentials and must revert to an authentication mechanism other than
port-based authentication (typically endpoint MAC address-based) in order for them to conne ct to the
network.
Cisco NAC Profiler provides a solution for identifying and locating the endpoints that are unable to
interact with the authentication component of these systems so that these endpoints can be provided an
alternative mechanism for admission to the network.
NAC Profiler consists of an LDAP-enabled directory, which can be used for MAC Authentication Bypass
(MAB). Thus, the NAC Profiler acts as an external LDAP database for ACS to authenticate
non-802.1X-capable devices.
Note You can use the ACS internal host database to define the MAC addresses for non-802.1X-capable
devices. However, if you already have a NAC Profiler in your network, you can use it to act as an external
MAB database.
To leverage Cisco NAC Profiler as an external MAB database, you must:
Enable the LDAP Interface on Cisco NAC Profiler. See Enabling the LDAP Interface on Cisco NAC
Profiler to Communicate with ACS, page8-35.
Configure NAC Profiler in ACS. See Configuring NAC Profile LDAP Definition in ACS for Use in
Identity Policy, page8-37.
Enabling the LDAP Interface on Cisco NAC Profiler to Communicate with ACS
Note Before you can enable the LDAP interface on the NAC Profiler, ensure that you have set up your NAC
Profiler with the NAC Profiler Collector. For more information on configuring Cisco NAC Profiler, refer
to the Cisco NAC Profiler Installation and Configuration Guide, available under
http://www.cisco.com/en/US/products/ps8464/
products_installation_and_configuration_guides_list.html.
To enable the LDAP interface on the NAC Profiler to communicate with ACS:
Step1 Log into your Cisco NAC Profiler.
Step2 Choose Configuration > NAC Profiler Modules > List NAC Profiler Modules.
Step3 Click Server.
The Configure Server page appears.
Step4 In the LDAP Configuration area, check the Enable LDAP check box as shown in Figure8-1.