Security

Reply
New Contributor
Posts: 2
Registered: 4 weeks ago

Approval Policy depending on AP-Group?

Hello everyone.

 

So, we have a Aruba setup, one SSID, several usergroups and Access Point groups. We're a public government for a city, so naturally we have many locations that we have our access points set up at. 

 

Now we want to make sure that people can only use the WLAN at their corresponding access points, but without using a own SSID. 

 

So what i would need to do is make the login be denied when the usergroup and access point group do not match. We have a enforcement policy that denies everyone who doesn't have a valid usergroup. So i'd just expand hat policy to include a valid usergroup AND it's corresponding ap-group. 

 

But here is my problem: I can't find the ap-group in the rule editor. In the other places like role mappings,etc it's under a Subtype of Radius. But that doesn't even appear in the Role Editor. 

 

Anyone got an idea? Thank you in advance.

 

P:S: Making a second SSID instead or doing other large scale changes of that sort are out of question sadly, because that is how our politicians want it so that's how it will be done. I don't have any influence in that regard sadly.

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Approval Policy depending on AP-Group?

How many AP groups are you planing on having?

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Approval Policy depending on AP-Group?

[ Edited ]

You can add a rule under roles. It needs to be a radius:aruba attribute.

 

Screen Shot 2017-06-27 at 4.01.25 AM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Approval Policy depending on AP-Group?

You can do this multiple ways. 

 

1. If there is a small amount of groups 5-10 then you can just filter on that under the first tab before you even get to role mapping and create multiple service

 

2. If there is a large amount of groups then you can give each one a role name like in the screen shot so you can use the tips:role name in the enforcement policy in conjunction with your conditions. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
New Contributor
Posts: 2
Registered: 4 weeks ago

Re: Approval Policy depending on AP-Group?

[ Edited ]

I tried the first one but it didn't work and just let him pass anyway. 

 

To be honest, we are speaking of just one AP-Group.About 4 Usergroups are supposed to be restricted this way, if they have one certain AP-Group, and the rest if they have any other AP-Group. 

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: Approval Policy depending on AP-Group?

Please post a screenshot of your enforcement policy.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: