topic Re: Exclude account(s) from authentication? in General Topics

Exclude account(s) from authentication?

OGMaverick — Tue, 08 Jan 2019 12:51:16 GMT

I know there is the allow list, but what about an exclude? We use Captive Portal for BYOD and have thousands of accounts we want to allow, but exclude our double digit generic accounts from being able to log in. What's the best way to achieve this?

Re: Exclude account(s) from authentication?

BPry — Tue, 08 Jan 2019 20:37:46 GMT

@OGMaverick,

So I would generally create a new AD group for something like this, and then simply deny the group associated with the accounts that you don't want to provide access to.

Re: Exclude account(s) from authentication?

OGMaverick — Wed, 09 Jan 2019 17:31:07 GMT

That is what we'd like to do, but we only see the option to allow a group/accounts.

Re: Exclude account(s) from authentication?

LukeBullimore — Thu, 10 Jan 2019 12:39:09 GMT

Hey @OGMaverick

Under the advanced tab of an authentication profile (Device -> Authentication Profile), you can allow only certain users or groups from authenticating against that authentication profile via the "allow list".

You would do this change against the authentication profile that is tied to your captive portal.

Let me know if this helps.

Thanks,

Luke.

Re: Exclude account(s) from authentication?

BPry — Thu, 10 Jan 2019 18:30:31 GMT

@OGMaverick,

SO @LukeBullimore gives a good solution, but even if you don't want to mess around with the Auth Profile you can do the following.

You're going to get a proper user-id mapping with Captive Portal ya, so why wouldn't you make 2 security policies.

1) Denies the generic accounts if coming from the BYOD IP range from accessing anything.

2) Allow known-user on the rest of the policies. If they have been auth'd then good to go, otherwise the generic accounts hit the first rule and the traffic is denied.

Re: Exclude account(s) from authentication?

OGMaverick — Fri, 11 Jan 2019 14:22:26 GMT

@LukeBullimore I believe that is the opposite of what we'd like to do. There are many many groups and users to be allowed and only a few we'd like denied from logging into captive portal, so a deny option would be best instead of an allow.

@BPry We do currently have a security policy to deny all traffic if they are coming from the captive portal network + match one of the generic user accounts. We'd much rather prefer them not be able to log in with the user at all on the captive portal, as they would now have to wait 24 hours to be re-prompted for creds or have us manually flush them so they can log in with the proper accounts.