Hi all ,
we are using SBR appliance version 5.4 , and want to implement the following policy ...
When users laptop is joined to a domain then he has internet +LAN access . else if it is non-domain laptop (guest) , we want to restrict his only to inernet .
iam not sure how to change eap.ine file to reflect above policy ...
Any thoughts on using which EAP flavor and also EAP.ine changes..as well.
Solved! Go to Solution.
Hi,
I understand that you are using SBR appliance version 5.4.
You requirement is, "When users laptop is joined to a domain then he has internet +LAN access .
if it is non-domain laptop (guest),we want to restrict his only to inernet .
The eap.ini configuration file configures only the sequence in which EAP authentication types are tried when authenticating users by means of the different Steel-Belted Radius authentication methods.You need to select the authentication methods as windows domain user first followed by Native user in order of methods under Authentication policies
in SBR admin GUI.
You can configure a profile that is to be used to select attributes
sent back on an Access-Accept.Create 2 profiles one for domain and other guest user.Map the profile appropriately with domain and native user
and native user.
The Profiles configuration in SBR lets you define sets of checklist and return list
attributes.You need map these attributes in your switch appropriately to assign the VLAN based
on the return attributes for .1x authentication.
Hope this clarifies your query.
NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!
Regards,
Kannan.
Hi,
I understand that you are using SBR appliance version 5.4.
You requirement is, "When users laptop is joined to a domain then he has internet +LAN access .
if it is non-domain laptop (guest),we want to restrict his only to inernet .
The eap.ini configuration file configures only the sequence in which EAP authentication types are tried when authenticating users by means of the different Steel-Belted Radius authentication methods.You need to select the authentication methods as windows domain user first followed by Native user in order of methods under Authentication policies
in SBR admin GUI.
You can configure a profile that is to be used to select attributes
sent back on an Access-Accept.Create 2 profiles one for domain and other guest user.Map the profile appropriately with domain and native user
and native user.
The Profiles configuration in SBR lets you define sets of checklist and return list
attributes.You need map these attributes in your switch appropriately to assign the VLAN based
on the return attributes for .1x authentication.
Hope this clarifies your query.
NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!
Regards,
Kannan.
Hi Kannan ,
Very informative response. i guess i need to set up in the following way.
1) For guest users with non -domain & unupdated anitvirus , etc i need t create a " Native user" and when authentication is accepted , it must return a profile to Aruba controller that allows only "internet" access ie filtering access to private space.
2) For doamin conntected users with valid certificates , when authenticated should reply with such attributes that gives full access to LAN such as file shares , pirnters + internet .
please confirm my undertstanding
Hi,
Yes your understanding is correct.
NOTE:
Please mark the post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!
Regards,
Kannan