I performed testing of Identity Awareness in my lab (RADIUS Accounting mode only) and found some problems I am not able to explain. I would really appreciate any comments to the following:
- userAccountControl LDAP attribute is ignored by IA. If a user is locked out, it is allowed to access a network. Is this correct behaviour or I misconfigured something?
- the same thing happen when I tried to authorize user based on fw1user (objectClass) LDAP attributes.
- direct mapping of user/machine to group directly on CP firewall by issuing command 'pdp radius groups set -u 26 -a 1 -c 9 -d ","' does not work correctly in case several Vendor-Specific RADIUS AV pairs are included within RADIUS accounting-request. How can I correctly used the command to assign group membership if the following attributes comes to CP firewall within one accounting-request?
Cisco-AVPair = "ssid=ssid01"
Cisco-AVPair = "vlan-id=30"
Cisco-AVPair = "nas-location=unspecified"
I want to assign group membership based on the first AV pair.
Thank you very much for any comments.
In case somebody is interested, I included all my findings from the lab in attached document.