Security

Reply
BBB
Occasional Contributor II
Posts: 12
Registered: ‎02-06-2012

Authorization Attributes from Radius Input

Hi,

 

I am trying to block domain laptops to the Guest network via a lookup in AD. 

 

However, for some reason I only get 1 authorization Attribute through in the radius input log.

 

Authorization:[Endpoints Repository]:Unique-Device-Count1

 

I have made sure that the Insight database is selected and also restarted all the services again.

 

It make no difference,  Any ideas ?

 

 

Guru Elite
Posts: 21,257
Registered: ‎03-29-2007

Re: Authorization Attributes from Radius Input

What are you looking up in AD?  You could try chekcing for the [MACHINE AUTHENTICATED] role because that would be tied to the mac address of that device, but that might be it....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

BBB
Occasional Contributor II
Posts: 12
Registered: ‎02-06-2012

Re: Authorization Attributes from Radius Input

The Customer doesn't want any corporate Laptops to be able to access the guest network.

 

Therefore, we would like it to query AD to see if it has a valid machine name and if so reject it?

 

Is this possible?

Guru Elite
Posts: 21,257
Registered: ‎03-29-2007

Re: Authorization Attributes from Radius Input

[ Edited ]

Not possible, because as a guest, the only two things we can use for authentication are the mac address of the device upon association and the username of the guest.

 

Using mac authentication, if the device has already authenticated as a domain computer, it might be able to derive the built-in CPPM [Machine Authenticated role], which you could use to put the device in a VLAN or in a role that bring up a page, rejecting the device.

 

Alternatively, you can use group policy to push an SSID with the guest SSID name with a wep key, so that those devices simply cannot connect to the guest SSID.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

BBB
Occasional Contributor II
Posts: 12
Registered: ‎02-06-2012

Re: Authorization Attributes from Radius Input

I'm pretty new to this, is ther a guide to how you would do this?

Contributor II
Posts: 56
Registered: ‎04-22-2009

Re: Authorization Attributes from Radius Input

image011.jpg

 

Simply use Group Policy to make the Guest network invisible to Domain Machines.

 

If you set it to "Deny" the user's cannot even "see" it in the list of available WLANs on a Domain Member machine.

 

(You can also prioritize ordering of ESSIDs for supported networks as well) 

 

Helps to avoid the support calls because user is on local hotspot network instead of your corporate network.

 

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: