Create a Post
Showing results for 
Search instead for 
Did you mean: 

Creating new User Directory Profile



I'm having an issue with Identity Awareness(, IDC, Cisco ISE, dot1x) and LDAP lookups. Running r80.30 take 111 on mgmt and gates.

Our laptops authenticate using a certificate with the Subject CN=<fqdn of client>. This does not translate well to sAMAccountName in the AD of course. But this certificate template is apparently a standard for AD machine certs.

The users themselves authenticate as usual with sAMAccountName, that works nicely on the gateway.


The guy in charge of our CA and Cert templates quit, and no one has taken over the job yet. So until that is done and I've managed to convince them that <fqdn> is not very good. I'm stuck with a couple alternatives:

* Skip machine authentication and allow traffic as usual via IP/IP-network.

* Create two LDAP Account Units where one runs a custom User Directory Profile.


How would I go about creating a copy of the existing Microsoft_AD profile, with a new name of course?

I tried creating a new Profile in guidbedit, basically a copy of "Microsoft_AD" as I went row by row copying values but with "UserLoginAttr" set to "dNSHostName" an attribute that exists in the AD. But when back in SmartConsole, the Profile does not allow me to set a Domain and does not activate SSO to be configured. Only a Prefix and SSO is greyed out.

Several R80 Admin guides mention creating a new profle and copying values - but just that.

Is there a better way to do this via IDC, RADIUS or something else that I haven't thought of?


The goal is to just authenticate computers so we can use AD-groups or SGT's to allow traffic in the policy.

Right now I can get SGT's to work, but then LDAP-groups for the users stops working - and vice versa.




0 Kudos
0 Replies