Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

I want to restrict access to my internal network according to AD groups.

This thread has been viewed 1 times

  • 1.  I want to restrict access to my internal network according to AD groups.

    Posted Sep 09, 2013 01:29 PM

    I have 14 AP-93's throughout my building. I finally got NPS setup to work with the AP's with Radius. Everything is fine, and my users can connect.

     

    The last part of my project is restricting access to the internal network, depending on active directory security groups. I want my domain admins and a specific wifi_admins group to be able to access the internal network, but everyone else only to be restricted from internal network access. What would be the best way to achieve this? I tried IP filtering, but seeing as all the traffic doesn't run through my DC, NPS IP filtering doesn't seem like the ticket.

     

    Any help is greatly appreciated. I'm almost done with this project, and I want to finish it soon. This is the last piece.



  • 2.  RE: I want to restrict access to my internal network according to AD groups.
    Best Answer

    EMPLOYEE
    Posted Sep 09, 2013 01:33 PM

    Set up security profiles tied to your memberof groups.  Based on that, send back a filter-id...there are MANY articles on TechNet with Microsoft about this.

     

    In your server group for this VAP (AAA profile), you can then say

     

    IF Filter-id == non-priviledged employee THEN set-role restricted-access

     

    ...or something similar!

     

    See below:

     

    Screen Shot 2013-09-09 at 1.32.21 PM.png



  • 3.  RE: I want to restrict access to my internal network according to AD groups.

    Posted Sep 09, 2013 01:41 PM

    That doesn't look like my UI. Is that using clearpass? I don't have clearpass. Is there a way to do that with the default system?



  • 4.  RE: I want to restrict access to my internal network according to AD groups.

    EMPLOYEE
    Posted Sep 09, 2013 01:43 PM
    No. The UI may be slightly different but the functionality is consistent. You must add a server assigned rule in the server group


  • 5.  RE: I want to restrict access to my internal network according to AD groups.

    Posted Sep 09, 2013 02:00 PM

    I think you have a completely different access point or something. I don't have a list of server groups, or see anything that resembles that in any way. The only place I found to add filters to the AP's like that is setting up the wireless network, on the access page as shown below.

     

     

    Not the same



  • 6.  RE: I want to restrict access to my internal network according to AD groups.

    EMPLOYEE
    Posted Sep 09, 2013 02:01 PM

    are you using Instant?



  • 7.  RE: I want to restrict access to my internal network according to AD groups.

    Posted Sep 09, 2013 02:02 PM

    Yes.They're instant AP-93



  • 8.  RE: I want to restrict access to my internal network according to AD groups.
    Best Answer

    EMPLOYEE
    Posted Sep 09, 2013 02:04 PM

    Ah!!  I see...so in the ssid settings on the last tab select role-based and see this screenshot:

     

    Screen Shot 2013-09-09 at 2.02.54 PM.png



  • 9.  RE: I want to restrict access to my internal network according to AD groups.

    Posted Sep 09, 2013 02:07 PM

    That looks like the one I posted, so I am on the right track, just have to figure out what you mean by sending back a filter-id. I am not really sure what to search on technet to find what you're talking about. I searched for "send back filter-id with radius" and I get nothing viable.  Perhaps I have the wrong idea of what is supposed to send the fiter back?



  • 10.  RE: I want to restrict access to my internal network according to AD groups.

    EMPLOYEE


  • 11.  RE: I want to restrict access to my internal network according to AD groups.

    Posted Sep 09, 2013 02:26 PM

    I actually looked in my NPS settings and found it right after I asked that question. I got it working like a dream right now. Thank you so much for the filter id thing. Now I get to go live with it...

     


    I'm stoked. Thank you again.