No announcement yet.

Restrictions on logging in using Groups

  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrictions on logging in using Groups

    Our firewall is connected to our AD and is fully aware of all of our groups. We use groups in policies for web filtering and it works well. What I can't seem to do is use groups with the captive portal. For example, if I have a bunch of accounts that are part of the Exams group, I don't want them to be able to login via the captive portal. If I have students, I don't want them to be able to login via the Staff captive portal.

    This has been posted about before, here is another post from a thread that had no replies and got locked:

    05-20-2021, 11:28 AM
    Is there a way to restrict user authentication via security groups?

    For example, I have a Student SSID and a Faculty SSID. Both use Captive Portal with Google OAuth. Obviously I don't want students to login with their accounts on the Faculty SSID. Is there a way to restrict Captive portal to only permit Faculty and Staff accounts to authenticate on the Faculty SSID?​

  • #2
    Captive Portal is an app, as such it runs within a given Policy. In this case you use your AD group membership via Policy Manager to route traffic into a different policy that contains a differently configured Captive Portal app, or simply doesn't have it at all.

    The Wireless question is off target. Nothing Arista Edge produces controls your wireless networks. If you want users to be controlled at the SSID level, you need 802.1X controls on your wireless access points. This means a single SSID for EVERYONE to use, and the WAPs and switches shove people into the appropriate VLAN based on RADUIS logon which is in turn linked to AD. You don't do this at the edge, your core network needs to handle that work.

    The only valid reason to use different SSIDs for staff vs students is to spread the load over different WAPs. And you need the logins to be built into the WAP so the login to the SSID itself is AD sourced. Again, nothing in NGFW for this.
    Last edited by sky-knight; 02-24-2023, 08:13 AM.
    Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
    Phone: 866-794-8879 x201
    Email: [email protected]