Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎02-20-2013

Differrent SSID Authentication to Different AD Tree Folder

I have setup 3 SSID on the Aruba Controller and using 802.1x to authenticate to AD server.

 

The authentication passed and I'm able to authenticate using the AD user ID. Problem is I can authenticate to the AD server through the 3 SSIDs.

 

Question:-

 

1. I need to tie the 3 different SSID to 3 different CN at the AD tree, how do I configure the AD tree search ? Using Role mappings or Filter ?

 

It will be good if there is any documentation on this kind of particular setup to be shared.

 

Thanks.

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Differrent SSID Authentication to Different AD Tree Folder

You have 3 Different SSIDs.  What is different about them, VLANs?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎02-20-2013

Re: Differrent SSID Authentication to Different AD Tree Folder

Yes, the 3 different SSIDs have different VLANs.

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Differrent SSID Authentication to Different AD Tree Folder

What radius server are you using?

 

Typically you want as few SSIDs as possible, because adding SSIDs decreases your wifi performance.  If you are authenticating users to the same database, you would have a single SSID and the radius server would check their AD group and then return a Radius attribute to put a user into a specific VLAN, depending on their AD group.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Differrent SSID Authentication to Different AD Tree Folder

What are you using for RADIUS?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎02-20-2013

Re: Differrent SSID Authentication to Different AD Tree Folder

I'm setting up the 3 SSIDs to authenticate to Clearpass with has already joined the AD domain.

 

I tested the Base DN settings and are able to authenticate. Problem is I need to tie the different SSID to the different CN group in the AD server.

 

Right now I'm able to authenticate via 3 SSIDs, so I need to setup a filter for the Clearpass to search a particular CN group only for the user ID.

 

 

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Differrent SSID Authentication to Different AD Tree Folder

- First create a ROLE for each CN AD Group (ROLE-1 for example)

- Then go to the ROLE MAPPING of that Service and map each CN AD Group to each Role you created (make sure you have evaluate ALL for your role mapping)

- In your enforcement policy you use the following conditions:

TIPS ROLE > ROLE-1

Connection > SSID > (SSID-1)

And do the same for the rest of each SSID/AD Group combination

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎02-20-2013

Re: Differrent SSID Authentication to Different AD Tree Folder

Hi Victor,

 

We created multiple sources at Clearpass which points to the same AD server, then we set the filters attribute to the different AD CN tree and it works after that.

 

Thanks.

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Differrent SSID Authentication to Different AD Tree Folder

Raymond, it is good, but it is inefficient, because more SSIDs decrease performance.  

 

In addition, if you have a user in a different group  using the same computer, they will have to know to configure the laptop or device to a different SSID, which cause cause helpdesk calls.  If you made it so everyone authenticated to the same SSID, but the rules in the background put them on a different VLAN via 802.1x, they would not have to remember what SSID to connect to.

 

Lastly, you should consider what you are using VLANs for:  VLANs are not necessarily a security mechanism.  All users could be placed into the same VLAN in the Aruba System, but have different roles and firewall policies on the WLAN that determine what they can and cannot do....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: