802.1x Authentication with AD groups

Matthew Posts: 5  Freshman Member
edited April 14 in WirelessLAN
How do I set up 802.1x authentication against Active Directory where only users who belong to a specific AD security group are authenticated? I don't want all domain users to be able to authenticate to the WLAN just ones that I have added to a specific AD security group. I see in the Users/Groups section where I can create an "ext-group-user" that will check the AD security group but I don't see how to specify that Ext-Group-User in the AP profile.

All Replies

  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 346  Zyxel Employee
    Hi @Matthew

    Here is the configurations to add a specific AD group to login.
    1. Go to CONFIGURATION > Object > AAA Server > AD, and add an AD server for the group.
    2. Go to CONFIGURATION > Object > Auth. Method, and add a authentication method for this AD group.

    3. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, and add a profile for the group.

    4. Create an SSID with the security profile as item 3. 
    Hope it helps.

  • RichardHan
    RichardHan Posts: 29  Freshman Member
    AD Server only confirms whether user credential is correct or not. In my opinion, two approaches you can try to reach the goal (only allowed access from specified user group in AD Server):

    1. On your windows server, add another role called "Network Policy Server", so that you can set network policy rules to control which access should be granted or denied.
    > Devices not in the user group can't connect to Wi-Fi due to authentication fail, and there is no additional configuration needs to be set on NXC.

    2. On NXC Controller, the external group user is used to represent a specific group of user. You can use it as a criteria on firewall rule or captive portal rule, and only allow traffic from these users.
    > Devices  not in the user group can still connect to the Wi-Fi, but fails to access the Internet. Since traffic is intercepted/blocked by NXC.
  • Matthew
    Matthew Posts: 5  Freshman Member
    Yeah I figured that part out. But how do I get the AD Server to only authenticate against members of a specific AD group? Best I can tell, the AD Server will authenticate ANY domain user. I can set a specific AD group for the External Group User (like Richard said) but I'm not sure how to tell the WiFi to use that user/group for authentication. If user can't connect, I want them to get a failed authentication message rather than connect but have no internet access. The other problem with Richard's #2 option is that it sounds like it will only block access to the internet/other subnets but not on the users' own subnet.
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 346  Zyxel Employee
    Hi @Matthew

    The access authority for checking the accounts of different folder layers is set in the Base DN.
    For example, if there's a total 3 layers for the organization unit folder, such as OUtest -> OUtestL1 -> OUtestL2, and you only want users in OUtestL2 to be found, you should set OU=OUtestL2,OU=OUtestL1,OU=OUtest,DC=zyxel,DC=com in the Base DN.

    After finishing the AD server setting, please follow the previous instruction to fill in the Auth method and Security list.