Hi everyone,
(Please be warned, I'm extremely new to using Aruba CPPM, so if my question seems painfully basic, you'll know why.)
We have a cluster of 2 CPPM appliances in our environment that have done very basic authentication (EAP-PEAP, MSCHAPv2) across many different domains for wireless access. The way that it is deployed today is as follows:
- User attempts to join our wireless network.
- CPPM identifies the user based on their domain, and then looks to see if they belong to a certain AD user group (this is done within various Role Mappings).
- If they belong to this group (varies slightly per-domain), then CPPM grants them the default "Allow Access" profile for RADIUS.
Yes, it's very, very simple. This environment was set up for us many years ago by a consultant, and has seen zero improvement/tweaking since then. As I've inherited it, I'd like to improve upon the level of security we have today, as anyone can bring ANY device into our environment and join it to our corporate wireless network, as long as the user account they use to log in (where required; for example, on an Android device/iPhone) is a member of the proper AD user group.
What I'm interested in doing is requiring a user authentication request to only be permitted if (1) the user him or herself is a member of a specific AD user group, and (2) the computer they are using (corporate-provided) is a member of a specific AD computer group. Does that make sense (I hope)?
Please note that we are NOT using Aruba's wireless hardware, or solution of any kind. We're using Cisco Meraki APs that are pointing to Aruba CPPM for RADIUS authentication. So, it's a very limited deployment, Aruba-specific-wise.
Presently, I'm struggling with how to identify computers, and their AD group membership. It seems that (given our present configuration) I can only identify user-based attributes, since that is what I'm primarily searching in AD for. But, surely there has to be a way to identify computer AD group membership. I just need a way to identify computer attributes (and the computer the user is using to authenticate) as well.
Please let me know if there is more info I should be providing you that might help you to answer my question here.
Many, many thanks for your help in advance.