Description
This article describes what causes a host to be moved to an imported LDAP Host Group.
Scope
Version: 8.x.
Solution
Upon initial synchronization, a host group is created for each LDAP group selected in the Select Groups tab of the LDAP configuration. Note: if an Administrator group with the same name already exists, a host group will not be created.
Hosts become members of these groups when they are registered with a user that is a member of that LDAP group.
A host registered as a device with a logged-on user that is a member of the LDAP group:
- Will not move to that LDAP group.
- Will match any policy whose criteria include LDAP group membership based on the logged-on user.
Example:
Network Access Policy 'IT Group' requires 'IT' LDAP Group membership.
'IT' LDAP Group is imported and appears as a host group.
User jsmith is a member of the 'IT' LDAP group.
Scenarios:
Host A is registered to user jsmith. Upon registration, Host A becomes a member of the 'IT' host group.
Host B is registered as a device. Upon registration, Host B does not become a member of the 'IT' host group.
When Host A connects to the network, it matches the 'IT Group' Network Access Policy and the corresponding VLAN is assigned.
When Host B connects to the network, it does not match the 'IT Group' Network Access Policy until jsmith logs on. Upon login, Host B matches the 'IT Group' Network Access Policy, and the corresponding VLAN is assigned. However, Host B does not move to the 'IT' host group.
This is the expected behavior.
