Security

Hello everyone.

So, we have a Aruba setup, one SSID, several usergroups and Access Point groups. We're a public government for a city, so naturally we have many locations that we have our access points set up at. 

Now we want to make sure that people can only use the WLAN at their corresponding access points, but without using a own SSID. 

So what i would need to do is make the login be denied when the usergroup and access point group do not match. We have a enforcement policy that denies everyone who doesn't have a valid usergroup. So i'd just expand hat policy to include a valid usergroup AND it's corresponding ap-group. 

But here is my problem: I can't find the ap-group in the rule editor. In the other places like role mappings,etc it's under a Subtype of Radius. But that doesn't even appear in the Role Editor. 

Anyone got an idea? Thank you in advance.

P:S: Making a second SSID instead or doing other large scale changes of that sort are out of question sadly, because that is how our politicians want it so that's how it will be done. I don't have any influence in that regard sadly.

How many AP groups are you planing on having?

You can add a rule under roles. It needs to be a radius:aruba attribute.

You can do this multiple ways. 

1. If there is a small amount of groups 5-10 then you can just filter on that under the first tab before you even get to role mapping and create multiple service

2. If there is a large amount of groups then you can give each one a role name like in the screen shot so you can use the tips:role name in the enforcement policy in conjunction with your conditions. 

I tried the first one but it didn't work and just let him pass anyway. 

To be honest, we are speaking of just one AP-Group.About 4 Usergroups are supposed to be restricted this way, if they have one certain AP-Group, and the rest if they have any other AP-Group. 

Please post a screenshot of your enforcement policy.