Network Topology
The customer consuls the EIA address binding + authorized login configuration scheme as follows:
There are four levels for LDAP users:
level1: ou=zctt1 The level1 user can only log in to the terminal in office 1.
level2: ou=zctt2 Indicates that level2 users can only log in to terminals in Office 1 and Office 2.
level3: ou=zctt3 Indicates that level3 users can only log in to terminals in Office 1,2 and office 3 for authentication.
level4: ou=zctt4 Users at level4 can only log in to terminals in offices 1, 2, 3, and 4 for authentication
Configuration Steps
Considering the customer site environment and networking conditions, the solution is as follows:
1. Authenticate the user source on the LDAP server. Create users of four levels on the ldap server, corresponding to different ou.
2. Synchronize users to the imc based on the ou and configure different authentication services in the synchronization policy to bind user groups to access service groups.
3. Because the customer uses 802x authentication, you are advised to use MAC address co-access to meet the requirements. You are advised to configure mac address groups of four levels to match four authentication services, so that users of different levels can be authenticated only on the MAC terminals of the corresponding level.
|
office |
account |
service |
access device |
|
|
office 1 |
ou=zctt1 |
|
access switch 1 |
|
office 2 |
ou=zctt2 |
|
access switch 2 |
|
office 3 | ou=zctt3 |
|
access switch 3 |
|
Key Configuration
1.create 4 MAC group on this path: User > User Access Policy > Access Condition > Endpoint MAC Group > Add Endpoint MAC Group
2.bind mac-group on service scenario, path:User Access Policy > Access Service > Copy Access Service > Access Scenario
3. configure different sync policy for ldap server, so that the different ou can bond different service
