Cisco Systems OL-24201-01 manual Number of Subjects Number of Directory Groups

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

•Number of Subjects: 100

•Number of Directory Groups: 6

Figure 8-7 Test Configuration Dialog Box

Number of Subjects—This value maps to the actual subject devices already profiled by the Cisco NAC Profiler (actual devices enabled for Profiler).

After the Profiler receives initial SNMP trap information from the switch, Profiler can poll the switch using SNMP to gather MIB (Management Information Base) information about the switch as well as the connecting endpoint.

After the Profiler has learned about the endpoint (e.g. MAC address, switch port), it adds the endpoint to its database. An endpoint added to the Profiler’s database is considered 1 subject.

Number of Directory Groups—This value maps to the actual profiles enabled for LDAP on Profiler. When already running Profiler on your network, default profiles for endpoints are pre-configured.

However, all profiles are not enabled for LDAP, and must be configured as described in Configuring Endpoint Profiles in NAC Profiler for LDAP Authentication, page 8-36. Note that if setting up Profiler for the first time, once the Profiler is up and running, you will see zero groups initially.

Note The subjects and directory groups are listed if they are less than 100 in number. If the number of subjects or directory groups exceed 100, the subjects and directory groups are not listed. Instead, you get a message similar to the following one:

More than 100 subjects are found.

Step 8 Click the Directory Attributes tab if you want to use the directory attributes of subject records as policy conditions in policy rules. See Viewing LDAP Attributes, page 8-34for more information.

Step 9 Choose NAC Profiler as the result (Identity Source) of the identity policy. For more information, see Viewing Identity Policies, page 10-21.

As soon as Endpoint is successfully authenticated from ACS server, ACS will do a CoA (Change of Authorization) and change VLAN. For this, you can configure static VLAN mapping in ACS server. For more information, see Specifying Common Attributes in Authorization Profiles, page 9-19.

When Endpoint is successfully authenticated the following message is displayed on the switch.

ACCESS-Switch# #show authentication sessions

Interface MAC Address Method Domain Status Session ID

Fa1/0/1 0014.d11b.aa36 mab DATA Authz Success 505050010000004A0B41FD15