Wireless Access

Occasional Contributor II

Block user access based on AD group membership



I am administrating a k12 wireless environment, with aruba 7240 controllers and clearpass.


Our students have both domain joined computers, authenticating to the wireless network with EAP-TLS user certificates, and BYOD devices authenticating with EAP-TLS onboard certificate or captive portal.


Today we are using a proxy server to block students network access when students have exams, but for different reasons, we now want to use aruba to do this instead.

The students teacher have a web-interface, where they can put the correct students in a AD group, and then the network access shall be blocked.


I have done some research, and think we will have to do something like this to achieve this with aruba controller/clearpass:

1. Get all mac-addresses that belong to a specific user (that the teacher has enabled blocking on) from the clearpass endpoint database

2. Send these mac-addresses to clearpass, and make clearpass change the role of this particular user to something like "block-network-role"

3. Send these mac-addresses to the controller, and make it run a change of authorization to these clients, so that they have to re-authenticate, and get the new role.


Has anyone done something similar? Is there a easier way to do it?

I do not now how to achieve this, any lead would be great!



Guru Elite

Re: Block user access based on AD group membership

You can use a combination of AD groups and also the issuer of the cert to make decisions.

For example, you can say if AD issued the cert and the group is student, do A vs certificate is issued from ClearPass and group is student do B.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: