This functionality is being asked for by the finance department whose machines have elevated access, but who should not be accessing sensitive data after 8PM.
We use Active Directory and soon will be upgrading our RSA devices that will integrate with AD if we are interested. -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Anthony Maszeroski Sent: Wednesday, October 13, 2010 10:29 PM To: [email protected] Subject: Re: VLAN access based on time Out of curiosity, is this need related to accommodating different security requirements for student workers given time-of-day (and/or location) ? On 10/13/2010 5:26 PM, Jeremy Wood wrote: > Hey Pete, > > I'm going off the cuff here as I've never done this before and I'm not > sure what you are running there for auth servers but we're using ACS > here and there is an option to do "Time Bound Alternate Groups" > per-user or group. If you used a RADIUS server to do you're > authentication you could probably use the attributes returned to NAC > to craft an authentication rule that would do this. > > However, If you're using AD you are probably out of luck using just > NAC. You could write a powershell script + scheduled task to move the > user between groups in AD and then use NAC to map via those groups. > > --Jeremy > > On Wed, Oct 13, 2010 at 16:12, Pete Boynton <[email protected]> wrote: >> Has anyone ever done this?: >> >> >> >> I have a user who is on VLAN XXX from 08:00 to 20:00. Any time after that I >> don't want him on VLAN XXX anymore. He needs to be on VLAN YYY. >> >> >> >> >> >> >> >> Thanks >> >> >> >> Higher One >> 25 Science Park >> New Haven CT, 06511 >> (203) 776-7776 x 4442 >> >> (203) 804-8896 cell >> >> > -- - Anthony Maszeroski, CCNA, CISSP ----------------------------------- Information Security Manager The University of Scranton email : [email protected] phone : 570-941-4226 -----------------------------------
