Exclude account(s) from authentication?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Exclude account(s) from authentication?

L3 Networker

I know there is the allow list, but what about an exclude?  We use Captive Portal for BYOD and have thousands of accounts we want to allow, but exclude our double digit generic accounts from being able to log in.  What's the best way to achieve this?

5 REPLIES 5

Cyber Elite
Cyber Elite

@OGMaverick,

So I would generally create a new AD group for something like this, and then simply deny the group associated with the accounts that you don't want to provide access to. 

That is what we'd like to do, but we only see the option to allow a group/accounts.

Hey @OGMaverick

 

Under the advanced tab of an authentication profile (Device -> Authentication Profile), you can allow only certain users or groups from authenticating against that authentication profile via the "allow list".

 

You would do this change against the authentication profile that is tied to your captive portal.

 

Let me know if this helps.

 

Thanks,

Luke.

Cyber Elite
Cyber Elite

@OGMaverick,

SO @LukeBullimore gives a good solution, but even if you don't want to mess around with the Auth Profile you can do the following. 

 

 You're going to get a proper user-id mapping with Captive Portal ya, so why wouldn't you make 2 security policies. 

1) Denies the generic accounts if coming from the BYOD IP range from accessing anything. 

2) Allow known-user on the rest of the policies. If they have been auth'd then good to go, otherwise the generic accounts hit the first rule and the traffic is denied. 

 

 

@LukeBullimore I believe that is the opposite of what we'd like to do.  There are many many groups and users to be allowed and only a few we'd like denied from logging into captive portal, so a deny option would be best instead of an allow.

 

@BPry We do currently have a security policy to deny all traffic if they are coming from the captive portal network + match one of the generic user accounts.  We'd much rather prefer them not be able to log in with the user at all on the captive portal, as they would now have to wait 24 hours to be re-prompted for creds or have us manually flush them so they can log in with the proper accounts.

  • 2974 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!