cancel
Showing results for 
Search instead for 
Did you mean: 

wifi internet access to guest users and full access to access to domain users

SOLVED
Highlighted
New Contributor

wifi internet access to guest users and full access to access to domain users

Hi all ,

 

we are using SBR appliance version 5.4 , and want to implement the following policy ...

 

When users laptop is joined to a domain then he has internet +LAN access . else if it is non-domain laptop (guest) , we want to restrict his only to inernet .

 

iam not sure how to change eap.ine file to reflect  above policy ...

 

Any thoughts on using which EAP flavor and also EAP.ine  changes..as well.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Super Contributor

Re: wifi internet access to guest users and full access to access to domain users

Hi,

I understand that you are using SBR appliance version 5.4.

You requirement is, "When users laptop is joined to a domain then he has internet +LAN access .
if it is non-domain laptop (guest),we want to restrict his only to inernet .


The eap.ini configuration file configures only the sequence in which EAP authentication types are tried when authenticating users by means of the different Steel-Belted Radius authentication methods.You need to select the authentication methods as windows domain user first followed by Native user in order of methods under Authentication policies

in SBR admin GUI.


You can configure a profile that is to be used to select attributes
sent back on an Access-Accept.Create 2 profiles one for domain and other guest user.Map the profile appropriately with domain and native user

and native user.

The Profiles configuration in SBR lets you define sets of checklist and return list
attributes.You need map these attributes in your switch appropriately to assign the VLAN based
on the return attributes for .1x authentication.


Hope this clarifies your query.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan.

 

View solution in original post

3 REPLIES 3
Highlighted
Super Contributor

Re: wifi internet access to guest users and full access to access to domain users

Hi,

I understand that you are using SBR appliance version 5.4.

You requirement is, "When users laptop is joined to a domain then he has internet +LAN access .
if it is non-domain laptop (guest),we want to restrict his only to inernet .


The eap.ini configuration file configures only the sequence in which EAP authentication types are tried when authenticating users by means of the different Steel-Belted Radius authentication methods.You need to select the authentication methods as windows domain user first followed by Native user in order of methods under Authentication policies

in SBR admin GUI.


You can configure a profile that is to be used to select attributes
sent back on an Access-Accept.Create 2 profiles one for domain and other guest user.Map the profile appropriately with domain and native user

and native user.

The Profiles configuration in SBR lets you define sets of checklist and return list
attributes.You need map these attributes in your switch appropriately to assign the VLAN based
on the return attributes for .1x authentication.


Hope this clarifies your query.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan.

 

View solution in original post

Highlighted
New Contributor

Re: wifi internet access to guest users and full access to access to domain users

Hi Kannan ,

 

Very informative response. i guess i need to set up in the following way.

 

1) For guest users with non -domain & unupdated anitvirus , etc i need t  create a " Native user" and when authentication is accepted , it must return a profile to Aruba controller that allows only "internet" access ie filtering access to private space.

 

2) For doamin conntected users with valid certificates , when authenticated should reply with such attributes that gives full access to LAN such as file shares , pirnters + internet .

 

please confirm my undertstanding

Highlighted
Super Contributor

Re: wifi internet access to guest users and full access to access to domain users

Hi,

 

Yes your understanding is correct.

 

NOTE:
Please mark the post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

 

Regards,

Kannan