How to use SSO authentication for internal users and LDAP for guests


This article applies to:

  • NAC 4.x

Question:

  • I would like to have "internal" users authenticated via SSO and "guest" users authenticated via LDAP. How can I configure NAC to allow this?

Procedure:

  1. Log in to MOC as an admin user.
  2. Create ACP Server and AC Portal.
  3. Right click AC Portal, select "Edit AC Portal" and navigate to "Server Backend Settings"
  4. Expand "LDAP" and configure the following options. You must configure all of the settings described here for this procedure to work. Other LDAP settings are optional.
    • LDAP Server
    • LDAP Port (389, or 636 for secure)
    • Login Contexts (use the context corresponding to the LDAP group holding guest accounts)

      Example:

      Name: Default

      Context String: ou=LDAP,dc=dentac,dc=trustwave,dc=com

    • Bind the LDAP user group with a group in NAC. This will be used to put the user in the right NAC zone.
    • A ldap_auth group must be created in LDAP and users login in with LDAP have to be members of this group.

    • Click Save.
  5. Expand the SSO (802.1X/AD) section and configure RPC Client List.
    • All AD servers must be added to this list

      Example:

      IP: 10.40.211.4

      Login (domain\username - user must be able to view Event Log on AD ): dentac\NACTest

      Type: AD

      Password: <password>
    • Other settings from this section are optional.
    • Click Save
  6. Create a profile (in our example it will be called: Not Authenticated LDAP)

    • Include Conditions: Device Type Condition - Match if device is a Managed device
    • Exclude Conditions: Session Authentication (ACS-AM) - Passed
    • Exclude Conditions: Session SSO Authentication (ACS-AM)Passed
      • NOTE: If you are using device based authentication you can change the exclude conditions to: Device Authentication (ACS-AM) and Device SSO Authentication (ACS-AM)
  7. Create a new access zone (in our example it will be called Authentication Required Force LDAP):
    • Restrict Access: True
    • Allow service access: 
      • Access to AC Portal is required. In our example these are entries for 192.168.1.1
      • Access to active directory servers: entries for IPs 10.40.211.4-5



    • Enter a redirection link for LDAP authentication
    • In the Membership tab:
      • Include profiles: Not Authenticated LDAP (profile created in point 6)
      • Exclude profiles: Authorized Gateways
  8. Create a profile to match users logged in via LDAP:
    • Give it a name (such as LDAP_authentication)
    • Include Conditions: GroupMembership (ACS-AM):
      • In Condition Details select the group that you mapped in point 4 (in our case ldap_auth)

    • Save the profile
  9. Create a zone that will hold all devices/users authenticated via LDAP:
    • Create a zone and give it a name (such as Guest Access).
    • If you want to monitor what's going on in that zone give it an appropriate priority (such as Priority 5)
    • In Included Profiles add the profile created in point 8 (LDAP_authentication)

    • Save the zone information.
  10. Add the new access zone or zones to "Active Access Zones" in your domain and position them according to their priority:
    • As you can see in our example, "Authentication Required Force LDAP" is the highest priority (top of the list). When a user request comes in, it "lands" in this zone. If it is not authenticated via SSO it will be redirected to the LDAP authentication web page.
    • When authenticated via LDAP and matching the right LDAP group (ldap_auth in our example), the user will be matched to the "Guest Access" group.

Last Modified 9/8/2014.
https://support.trustwave.com/kb/KnowledgebaseArticle15553.aspx