3.1.10.2.8. getADGroup

The getADGroup plugin retrieves the MAC address of the connected device and searches for it as a user in the registered Active Directories. Then, it identifies the group to which the user belongs and adds a corresponding tag to indicate it.

  • If the device does not belong to any groups, it is labeled as <Tag prefix>_NOT_CONTAINED.

  • If the device is not defined in any Active Directory, it is labeled as <Tag prefix>_NOT_DEFINED.

Note

The proper functioning of SNMP or COA disconnection is essential for the plugin to operate effectively.

Initially, when the plugin first encounters the MAC address, it will be directed to an access VLAN. Upon execution of the plugin and the addition of tags, it will transition to the service VLAN. This transition necessitates seamless disconnection, underscoring the importance of smooth SNMP or COA disconnection.

../../../../_images/getadgroup.png


  • Tag prefix: Tag prefix to label the user device configuration in the Active Directory.

  • Execution TTL: During this period, indicated in minutes, no more executions are done over the same client.

The plugin has to be executed within both the MAB and the Registry policies postconditions. Upon execution, it assigns tags based on the Active Directory groups associated with the MAC address of the connected device.

Following this, policies are configured to consider these tags based on the device’s Active Directory group memberships.