Wireless Access

Occasional Contributor II

Block user access based on AD group membership



I am administrating a k12 wireless environment, with aruba 7240 controllers and clearpass.


Our students have both domain joined computers, authenticating to the wireless network with EAP-TLS user certificates, and BYOD devices authenticating with EAP-TLS onboard certificate or captive portal.


Today we are using a proxy server to block students network access when students have exams, but for different reasons, we now want to use aruba to do this instead.

The students teacher have a web-interface, where they can put the correct students in a AD group, and then the network access shall be blocked.


I have done some research, and think we will have to do something like this to achieve this with aruba controller/clearpass:

1. Get all mac-addresses that belong to a specific user (that the teacher has enabled blocking on) from the clearpass endpoint database

2. Send these mac-addresses to clearpass, and make clearpass change the role of this particular user to something like "block-network-role"

3. Send these mac-addresses to the controller, and make it run a change of authorization to these clients, so that they have to re-authenticate, and get the new role.


Has anyone done something similar? Is there a easier way to do it?

I do not now how to achieve this, any lead would be great!



Guru Elite

Re: Block user access based on AD group membership

You can use a combination of AD groups and also the issuer of the cert to make decisions.

For example, you can say if AD issued the cert and the group is student, do A vs certificate is issued from ClearPass and group is student do B.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: