Re: Block user

[Nathaniel Austin]

Yeah, you can't do any mappings using the old WinNT method of 
authentication. Best bet would probably be to try LDAP.

Nate
Miller, Paul wrote:
It's setup as Windows NT authentication.  When I try and add a mapping
the only option I get is for Vlan ID.  When we first setup Clean Access
this was the only option that would work for us.  Looks like I may have
to change that.

Paul Miller
Network Administrator
Dominican University
708-524-6641


-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[EMAIL PROTECTED] On Behalf Of Nathaniel Austin
Sent: Friday, April 18, 2008 10:51 AM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Re: Block user

Is it an AD-SSO, LDAP, or Kerberos Auth server?

If AD-SSO or LDAP you could create a mapping rule on his/her user name.

Nate

Miller, Paul wrote:
  
This would be fine.  I'm not sure how to do this.  I have a "Problem
Role" setup, but can't figure out how to put a single AD authenticated
user in that role.


Paul Miller
Network Administrator
Dominican University
708-524-6641

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Fielden
Sent: Friday, April 18, 2008 10:09 AM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Re: Block user

Yea, I'm with Greg on this. How would you know whose permissions to 
apply if they have yet to log in?

Here at GW we do two tiers of blocking. If we get a notification that 
the user needs to be turned off (disciplinary action, legal action,
    
etc)
  
than their account gets the problem role and their only access is to
    
an 
  
"Access Denied - Call Student Technology Services" site. If the issue
    
is
  
the machine that they're on (bandwidth use, file sharing, security
    
issue
  
of some kind, etc) than the MAC gets filtered in the manager to use
    
that
  
same role and they only get access to that same site. Sometimes both
    
of 
  
these methods have to be applied together if a user gets his/her 
roommate to login for them.

Ben Fielden
Student Technology Services
The George Washington University

Greg Schaffer wrote:
  
    
I think by definition the user has to authenticate ("log in") so as
      
to
  
    
      
  
    
identify a restricted role the user can then be placed in. If the
      
user
  
    
      
  
    
doesn't log in, how would you know what user to apply policy to?

Greg

Greg Schaffer, CISSP

Director of Network Services

Middle Tennessee State University


    
      
------------------------------------------------------------------------
  
  
    
*From:* Cisco Clean Access Users and Administrators 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Miller, Paul
*Sent:* Friday, April 18, 2008 9:22 AM
*To:* CLEANACCESS@LISTSERV.MUOHIO.EDU
*Subject:* Block user

Can anyone tell me if there is a way to restrict a user from logging 
in to Clean Access. I noticed that I can restrict a device, but no 
options for a user.

Paul Miller

Network Administrator

Dominican University

River Forest, IL

708-524-6641