Restricting wireless access to specific AD group

Unanswered Question
Dec 13th, 2009
User Badges:

Hi,

I have a problem in restricting wireless access to specific Active Directory group. Whats happening now is every end-user exits in the AD Default group gain access via the wireless network.


Any brilliant idea how to restrict access to only the users defined in a specific group in the active directory.


Thanks


Sami

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Matthew Fowler Sun, 12/13/2009 - 17:26
User Badges:
  • Cisco Employee,

Hi Sami,


A good way is to use dynamic VLAN assignment. First, configure your WLAN to be mapped to a 'blackhole' interface. e.g. an interface in a non-routed subnet. Second, create an interface for the wireless users as per normal. Then, if using ACS, use the group mapping to map the AD group to an ACS user group. In this ACS group configure it to return either a VLAN ID, or airespace interface name for the interface on the WLC for the wireless users. Finally, make sure AAA Override is configured on the WLAN.


This way, if a user does not return the VLAN/interface override they get put on the 'blackhole' VLAN.


This link should show you the configuration steps needed - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml


If using IAS, check out http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008082d5b5.shtml


-Matt

Richard Atkin Mon, 12/14/2009 - 05:05
User Badges:
  • Silver, 250 points or more

Hi,


What you should do is to create a Wireless group in AD, and put your Wireless-Users and Wireless-Machines in to that Group.  In your RADIUS Server, create a policy that will only authenticate users on the proviso that they are a member of that prerequisite group.  This approach works in pretty much any RADIUS Server you care to mention, is easy to setup and manage, and won't require any changes to your WLCs.


Rgds,


Richard

ccie16351 Mon, 12/14/2009 - 05:48
User Badges:

Thanks Richard for your input. Actually I managed to do it successfully, the way you have said, but that was ahead of your posting. Thank you anyways.

erikjustinlee Tue, 12/15/2009 - 13:18
User Badges:

I can get this to work no problem.  The issue that I have is restricting it now.  If I have 2 wlans, and 2 ad groups it seems that

I can log into either wlans as long as I match either IAS policy.  Can someone point me in the right direction please

Richard Atkin Wed, 12/16/2009 - 08:08
User Badges:
  • Silver, 250 points or more

Ah, that's easy! 


Read this:


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml


Basically just a question of using the DNIS access restrictions within your appropriate ACS Group and defining a rule along the lines of;


AAA Client - *

Port - *

CLI - *

DNIS - *myssidname


So when you're using this, the logical process within ACS (assuming v4.x ACS) goes like this;


ACS Receives Inbound Request from WLC

ACS Refers to Internal DB (and fails)

ACS Refers to AD (via Unknown User Policy)

AD Returns Group Membership Info (assuming supplied username / password are correct)

ACS Maps AD User to an ACS Group based on their AD Group Membership(s) and the defined ACS Group Mappings

ACS evaluates the DNIS supplied by the WLC and compares to the DNIS Access Restrictions configured within the ACS Group

Then either;

     The User is permitted if ESSID = DNIS

     or

     The User rejected if ESSID != DNIS



Hope this helps,


Richard

Actions

This Discussion

 

 

Trending Topics - Security & Network