12-13-2009 08:16 AM - edited 07-03-2021 06:20 PM
Hi,
I have a problem in restricting wireless access to specific Active Directory group. Whats happening now is every end-user exits in the AD Default group gain access via the wireless network.
Any brilliant idea how to restrict access to only the users defined in a specific group in the active directory.
Thanks
Sami
12-13-2009 05:26 PM
Hi Sami,
A good way is to use dynamic VLAN assignment. First, configure your WLAN to be mapped to a 'blackhole' interface. e.g. an interface in a non-routed subnet. Second, create an interface for the wireless users as per normal. Then, if using ACS, use the group mapping to map the AD group to an ACS user group. In this ACS group configure it to return either a VLAN ID, or airespace interface name for the interface on the WLC for the wireless users. Finally, make sure AAA Override is configured on the WLAN.
This way, if a user does not return the VLAN/interface override they get put on the 'blackhole' VLAN.
This link should show you the configuration steps needed - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
If using IAS, check out http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008082d5b5.shtml
-Matt
12-14-2009 05:05 AM
Hi,
What you should do is to create a Wireless group in AD, and put your Wireless-Users and Wireless-Machines in to that Group. In your RADIUS Server, create a policy that will only authenticate users on the proviso that they are a member of that prerequisite group. This approach works in pretty much any RADIUS Server you care to mention, is easy to setup and manage, and won't require any changes to your WLCs.
Rgds,
Richard
12-14-2009 05:48 AM
Thanks Richard for your input. Actually I managed to do it successfully, the way you have said, but that was ahead of your posting. Thank you anyways.
12-15-2009 01:18 PM
I can get this to work no problem. The issue that I have is restricting it now. If I have 2 wlans, and 2 ad groups it seems that
I can log into either wlans as long as I match either IAS policy. Can someone point me in the right direction please
12-16-2009 08:08 AM
Ah, that's easy!
Read this:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
Basically just a question of using the DNIS access restrictions within your appropriate ACS Group and defining a rule along the lines of;
AAA Client - *
Port - *
CLI - *
DNIS - *myssidname
So when you're using this, the logical process within ACS (assuming v4.x ACS) goes like this;
ACS Receives Inbound Request from WLC
ACS Refers to Internal DB (and fails)
ACS Refers to AD (via Unknown User Policy)
AD Returns Group Membership Info (assuming supplied username / password are correct)
ACS Maps AD User to an ACS Group based on their AD Group Membership(s) and the defined ACS Group Mappings
ACS evaluates the DNIS supplied by the WLC and compares to the DNIS Access Restrictions configured within the ACS Group
Then either;
The User is permitted if ESSID = DNIS
or
The User rejected if ESSID != DNIS
Hope this helps,
Richard
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide