Security

Reply
Contributor I
Posts: 21
Registered: ‎08-29-2013

I want to restrict access to my internal network according to AD groups.

I have 14 AP-93's throughout my building. I finally got NPS setup to work with the AP's with Radius. Everything is fine, and my users can connect.

 

The last part of my project is restricting access to the internal network, depending on active directory security groups. I want my domain admins and a specific wifi_admins group to be able to access the internal network, but everyone else only to be restricted from internal network access. What would be the best way to achieve this? I tried IP filtering, but seeing as all the traffic doesn't run through my DC, NPS IP filtering doesn't seem like the ticket.

 

Any help is greatly appreciated. I'm almost done with this project, and I want to finish it soon. This is the last piece.

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: I want to restrict access to my internal network according to AD groups.

Set up security profiles tied to your memberof groups.  Based on that, send back a filter-id...there are MANY articles on TechNet with Microsoft about this.

 

In your server group for this VAP (AAA profile), you can then say

 

IF Filter-id == non-priviledged employee THEN set-role restricted-access

 

...or something similar!

 

See below:

 

Screen Shot 2013-09-09 at 1.32.21 PM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 21
Registered: ‎08-29-2013

Re: I want to restrict access to my internal network according to AD groups.

That doesn't look like my UI. Is that using clearpass? I don't have clearpass. Is there a way to do that with the default system?

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: I want to restrict access to my internal network according to AD groups.

No. The UI may be slightly different but the functionality is consistent. You must add a server assigned rule in the server group
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 21
Registered: ‎08-29-2013

Re: I want to restrict access to my internal network according to AD groups.

I think you have a completely different access point or something. I don't have a list of server groups, or see anything that resembles that in any way. The only place I found to add filters to the AP's like that is setting up the wireless network, on the access page as shown below.

 

 

Not the same

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: I want to restrict access to my internal network according to AD groups.

are you using Instant?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 21
Registered: ‎08-29-2013

Re: I want to restrict access to my internal network according to AD groups.

Yes.They're instant AP-93

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: I want to restrict access to my internal network according to AD groups.

Ah!!  I see...so in the ssid settings on the last tab select role-based and see this screenshot:

 

Screen Shot 2013-09-09 at 2.02.54 PM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 21
Registered: ‎08-29-2013

Re: I want to restrict access to my internal network according to AD groups.

That looks like the one I posted, so I am on the right track, just have to figure out what you mean by sending back a filter-id. I am not really sure what to search on technet to find what you're talking about. I searched for "send back filter-id with radius" and I get nothing viable.  Perhaps I have the wrong idea of what is supposed to send the fiter back?

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: I want to restrict access to my internal network according to AD groups.

Try here:

 

http://community.arubanetworks.com/t5/Authentication-and-Access/Microsoft-NPS-custom-attributes/td-p/95999

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: