Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1414
Views
0
Helpful
1
Replies

Limiting RADIUS authentication to a specific AD group

johnnylingo
Level 5
Level 5

‎11-14-2013 08:07 AM - edited ‎03-10-2019 09:06 PM

I have a basic PEAP configuration using a WLC 4402 with Secure ACS 5.4.  ACS is using Active Directory as the identity source. One issue I've found is that any valid AD user can authenticate, including service accounts.  I don't want this, since service account passwords are never changed and anyone with knowledge of those accounts can gain access to the Wifi Network.

How can I limit access to a certain group, say "Users"?  Can this be done with AD as the source, or do I have to switch to LDAP?

Labels:
0 Helpful
1 Reply 1

prswami
Level 1
Level 1

‎11-16-2013 12:17 AM

Hi,

yes, this can definately be achieved using AD as the identity store.

In the access service processing the wireless 802.1x authentications, include the compound condition or AD1 external group condition using the customized button on the right bottom corner.(bring the condition from available to selected portion).

Now, go to the rule responsible to process the authentication process, or create a new rule and call out the group(s) for which you want the authentication to pass and at the bottom on the default rule select deny access authorization profile as a resultant.

Let me know if you get stuck somewhere.

Thanks,

Prateek

0 Helpful
Customers Also Viewed These Support Documents