Security

Reply
New Contributor

Deny Access to SSID to users in an AD Security Group

We allow users to login to WiFi based on their Username and Password in Active Directory. This is set through WPA-2 Enterprise security Authenticated through our RADIUS server. We have a few generic user accounts that are only needed for hard-wired workstations to perform specific tasks. However, some users have taken these credentials and are logging in on their personal devices to gain WiFi access. We want to discourage this, forcing the users to use their own assigned user accounts for this purpose.

 

We currently have Security Access Rules for this SSID set to Network-Based. Would we need to set this to Role-Based to facilitate the following?

IF "USERNAME" is a MemberOf the AD security group "wifiBlacklist", THEN set-role to No Access.

 

I'd like to put the generic accounts into a WiFi Blacklist security group, so these accounts are not abused. Users could still login on their personal devices under their own user accounts. A simple answer to the WiFi problem would be to eliminate the generic accounts, but we are not able to do that immediately due to their use on the wired network.

 

Any and all suggestions on how to set this in ClearPass and/or within the Aruba Virtual Controller would be helpful.

 

Thanks!

Guru Elite

Re: Deny Access to SSID to users in an AD Security Group

Yes, your logic is correct, but use the “Groups” attribute instead of memberOf.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Deny Access to SSID to users in an AD Security Group

In what settings GUI can I add this logic to accomplish the stated goal?

Guru Elite

Re: Deny Access to SSID to users in an AD Security Group

You can do it via Role Mapping or your Enforcement Policy.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: