I want to create 802.1x on IMC-UAM with a Cisco switch. I have configured aaa on the switch and everything seems perfect, also I have integrated my Domain controller with IMC and install the certificate. Users can login properly when adding their credentials but they are not set in the appropriate VLAN. At the site we have one Domain controller with several Organization Unit (OU) , example: OU="Sales" and OU="IT", what I want is that when user for Sales OU tries to authenticate I want him to get IP from VLAN 20, and when the user is in IT out I want him to be assigned IP from VLAN 30.
I saw Deploy VLAN in User>User Access Policy >Access Policy >Modify Access Policy but it didn't work.
The UAM module in IMC has a lot of flexibility and also complexity. The documentation is a bit hard to follow, but there are some example files as well.
I'm running HP procurve switches - so not as familiar with cisco but should work similarly. To make your scenario work you need to first define an access service for each group, Users and IT.
For each access service you need an access policy to match (there are situations where you would combine multiple access polices on 1 access service). Each policy will deploy the target VLAN, one for 20, one for 30.
Since you have IMC talking to AD, you have created a sync Policy to move the users over, and since they are authenticating, you have set up the virtual workstation to proxy credential authentication to AD, as LDAP can't get AD passwords directly. If any of that is not true, then you will need to set it up.
The sync policy maps the the users source AD security Group to the access service and its access policy for the desired VLAN. On the first screen, the Base DN and filters are setup. The users are imported from AD starting at the sub Base DN.
On the next screen, under AD group and service, specify the AD group to service mapping using the LDAP notation for group name. This may be where you are having problems as it is the GROUP membership that completes the mapping of user to access service, not the OU the user is in.
So for your plan to work, you need either:
two sync policies each pulling users from a different OU (and then they can be in a common AD security group like Domian users), one access service applied for each sync policy
One sync policy, with users in 2 different AD security groups, each mapped to a different access service
So OU is where the users are imported from, AD group membership maps the service.
In case the cisco switch needs special RADIUS attributes for some reason, or you need to deploy tagged vlans to the ports as well, you can set proprietary attributes under Access device management - these are then associated with the access service.
Hope this helps. Other posts on this forum are helpful as well.
