Security

I have setup 3 SSID on the Aruba Controller and using 802.1x to authenticate to AD server.

The authentication passed and I'm able to authenticate using the AD user ID. Problem is I can authenticate to the AD server through the 3 SSIDs.

Question:-

1. I need to tie the 3 different SSID to 3 different CN at the AD tree, how do I configure the AD tree search ? Using Role mappings or Filter ?

It will be good if there is any documentation on this kind of particular setup to be shared.

Thanks.

You have 3 Different SSIDs.  What is different about them, VLANs?

Yes, the 3 different SSIDs have different VLANs.

What radius server are you using?

Typically you want as few SSIDs as possible, because adding SSIDs decreases your wifi performance.  If you are authenticating users to the same database, you would have a single SSID and the radius server would check their AD group and then return a Radius attribute to put a user into a specific VLAN, depending on their AD group.

I'm setting up the 3 SSIDs to authenticate to Clearpass with has already joined the AD domain.

I tested the Base DN settings and are able to authenticate. Problem is I need to tie the different SSID to the different CN group in the AD server.

Right now I'm able to authenticate via 3 SSIDs, so I need to setup a filter for the Clearpass to search a particular CN group only for the user ID.

- First create a ROLE for each CN AD Group (ROLE-1 for example)

- Then go to the ROLE MAPPING of that Service and map each CN AD Group to each Role you created (make sure you have evaluate ALL for your role mapping)

- In your enforcement policy you use the following conditions:

TIPS ROLE > ROLE-1

Connection > SSID > (SSID-1)

And do the same for the rest of each SSID/AD Group combination

Hi Victor,

We created multiple sources at Clearpass which points to the same AD server, then we set the filters attribute to the different AD CN tree and it works after that.

Thanks.

Raymond, it is good, but it is inefficient, because more SSIDs decrease performance.  

In addition, if you have a user in a different group  using the same computer, they will have to know to configure the laptop or device to a different SSID, which cause cause helpdesk calls.  If you made it so everyone authenticated to the same SSID, but the rules in the background put them on a different VLAN via 802.1x, they would not have to remember what SSID to connect to.

Lastly, you should consider what you are using VLANs for:  VLANs are not necessarily a security mechanism.  All users could be placed into the same VLAN in the Aruba System, but have different roles and firewall policies on the WLAN that determine what they can and cannot do....

What are you using for RADIUS?