Exclude account(s) from authentication?

Reply
Highlighted
L3 Networker

Exclude account(s) from authentication?

I know there is the allow list, but what about an exclude?  We use Captive Portal for BYOD and have thousands of accounts we want to allow, but exclude our double digit generic accounts from being able to log in.  What's the best way to achieve this?

Highlighted
Cyber Elite

@OGMaverick,

So I would generally create a new AD group for something like this, and then simply deny the group associated with the accounts that you don't want to provide access to. 

Highlighted
L3 Networker

That is what we'd like to do, but we only see the option to allow a group/accounts.

Highlighted
L5 Sessionator

Hey @OGMaverick

 

Under the advanced tab of an authentication profile (Device -> Authentication Profile), you can allow only certain users or groups from authenticating against that authentication profile via the "allow list".

 

You would do this change against the authentication profile that is tied to your captive portal.

 

Let me know if this helps.

 

Thanks,

Luke.

Highlighted
Cyber Elite

@OGMaverick,

SO @LukeBullimore gives a good solution, but even if you don't want to mess around with the Auth Profile you can do the following. 

 

 You're going to get a proper user-id mapping with Captive Portal ya, so why wouldn't you make 2 security policies. 

1) Denies the generic accounts if coming from the BYOD IP range from accessing anything. 

2) Allow known-user on the rest of the policies. If they have been auth'd then good to go, otherwise the generic accounts hit the first rule and the traffic is denied. 

 

 

Highlighted
L3 Networker

@LukeBullimore I believe that is the opposite of what we'd like to do.  There are many many groups and users to be allowed and only a few we'd like denied from logging into captive portal, so a deny option would be best instead of an allow.

 

@BPry We do currently have a security policy to deny all traffic if they are coming from the captive portal network + match one of the generic user accounts.  We'd much rather prefer them not be able to log in with the user at all on the captive portal, as they would now have to wait 24 hours to be re-prompted for creds or have us manually flush them so they can log in with the proper accounts.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!