Dynamic VLAN using AD user authentication and MAC address?

  • 1
  • Question
  • Updated 1 year ago
Hi all,

First time posting so please go easy on me! ;)

We're at the design stage of implementing new wifi infrastructure at a single site. What I would like to achieve is as follows:

Business users using a company provided computer are dynamically assigned vlans that will allow them to connect to corporate resources, but if using a personal device (personal computer/ipad/smart phone etc) can only connect to the internet but not the internal network. 

I also need to allow guests to connect to the internet but not the internal network.

Our current aerohive setup consists of a single SSID with 2 user groups, the staff one which uses Private PSK-Manual and the guest group which uses Private PSK-Auto. This was all set up by a 3rd party company so I'm not especially au fait with how it all works currently (I'm sure that's all about to change).

Does anybody have any suggestions on how to best achieve this?

From scouring the forums it looks like using a radius server and AD group membership to dynamically assign vlans (using enterprise mode) would be the best approach as far as the business users go but I'm still not sure how to make sure they are only able to connect to the internal network when using a business computer. 

I know that it's possible to use the 'Domain Computers' AD group to authenticate the computers but I want to dynamically assign the VLAN based on several AD user groups so that, for example, the IT team get one VLAN, the finance team get another. That being the case my understanding is that you can only authenticate against one group at a time so authenticating the user AND the computer is out! I'm wondering if it's, therefore, possible to use the Calling-Station-Id attribute in conjunction with AD group authentication to achieve what I want, i.e. A business user authenticates against an AD group and is using a 'known' MAC address so is therefore assigned a VLAN that will allow internal access. The same user authenticates but using a device that isn't known so is given a default internet only VLAN?

Lastly (sorry), if the above method is the best approach what is the best way of gathering the 'known/allowed' MAC address list? We mostly use Dell laptops but also have several Mac OS devices that we would allow to connect to our internal network. Is there a way of gathering the mac addresses from, say a DHCP server, or is there a better way?

Many thanks in advance 
Photo of Duncan S

Duncan S

  • 3 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
You're on the right path. The interesting point you raise is keeping business machines off the guest network, which you would inherently want available to "everyone." My choice would be to rate limit the guest network via Aerohive's firewall, so that your business users would actually prefer to utilize the corp network due to better throughput. I will be interested to hear others opinions.

Best,
BJ     
 
Photo of Duncan S

Duncan S

  • 3 Posts
  • 0 Reply Likes
The issue is ensuring that 'Business Users' are only able to connect to internal network resources when using a domain computer. Since posting I've found this article which may be close to our requirements:

https://community.aerohive.com/aerohive/topics/restrict_non_domain_devices_byod_from_authenticating_...

I'm considering still using Private PSK-Auto for guests (we use this currently and I see no reason to change it) but I'm not sure that I can do that using the same SSID if I've chosen Radius as my authentication method.
(Edited)
Photo of Duncan S

Duncan S

  • 3 Posts
  • 0 Reply Likes
In the end We've decided to continue using Private PSK with MAC address binding. It might not stop a determined attack but it should suffice as far as the casual user who wants to try putting their own device on our corporate wifi.