Restricting wireless access to specific AD group

ccie16351 · ‎12-13-2009

Hi,

I have a problem in restricting wireless access to specific Active Directory group. Whats happening now is every end-user exits in the AD Default group gain access via the wireless network.

Any brilliant idea how to restrict access to only the users defined in a specific group in the active directory.

Thanks

Sami

Matthew Fowler · ‎12-13-2009

Hi Sami,

A good way is to use dynamic VLAN assignment. First, configure your WLAN to be mapped to a 'blackhole' interface. e.g. an interface in a non-routed subnet. Second, create an interface for the wireless users as per normal. Then, if using ACS, use the group mapping to map the AD group to an ACS user group. In this ACS group configure it to return either a VLAN ID, or airespace interface name for the interface on the WLC for the wireless users. Finally, make sure AAA Override is configured on the WLAN.

This way, if a user does not return the VLAN/interface override they get put on the 'blackhole' VLAN.

This link should show you the configuration steps needed - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

If using IAS, check out http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008082d5b5.shtml

-Matt

Richard Atkin · ‎12-14-2009

Hi,

What you should do is to create a Wireless group in AD, and put your Wireless-Users and Wireless-Machines in to that Group. In your RADIUS Server, create a policy that will only authenticate users on the proviso that they are a member of that prerequisite group. This approach works in pretty much any RADIUS Server you care to mention, is easy to setup and manage, and won't require any changes to your WLCs.

Rgds,

Richard

ccie16351 · ‎12-14-2009

Thanks Richard for your input. Actually I managed to do it successfully, the way you have said, but that was ahead of your posting. Thank you anyways.

erikjustinlee · ‎12-15-2009

I can get this to work no problem. The issue that I have is restricting it now. If I have 2 wlans, and 2 ad groups it seems that

I can log into either wlans as long as I match either IAS policy. Can someone point me in the right direction please

Richard Atkin · ‎12-16-2009

Ah, that's easy!

Read this:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Basically just a question of using the DNIS access restrictions within your appropriate ACS Group and defining a rule along the lines of;

AAA Client - *

Port - *

CLI - *

DNIS - *myssidname

So when you're using this, the logical process within ACS (assuming v4.x ACS) goes like this;

ACS Receives Inbound Request from WLC

ACS Refers to Internal DB (and fails)

ACS Refers to AD (via Unknown User Policy)

AD Returns Group Membership Info (assuming supplied username / password are correct)

ACS Maps AD User to an ACS Group based on their AD Group Membership(s) and the defined ACS Group Mappings

ACS evaluates the DNIS supplied by the WLC and compares to the DNIS Access Restrictions configured within the ACS Group

Then either;

The User is permitted if ESSID = DNIS

or

The User rejected if ESSID != DNIS

Hope this helps,

Richard