Control access to subnet via AD

Hi All

I’m hoping someone can point me in the right direction or give me some advice on how we can accomplish the below.

What I would like to do is control access to subnets via active directory security groups, so if a user is in a certain security group they will be denied access to one subnet and have access to all other subnets.

I’m currently running a VMware cluster which hosts my production and demo environments and I now need to separate our demo systems from our production environment. We are planning to keep our production environment on and create a new subnet and move all my demo systems into this subnet using VLAN’s. All my users’ desktops will be left on the production network ( I need to restrict access to some of my users accessing the demo environment and I would like to control this through AD.

Can you please advise me how I would accomplish this or if this is a good way go?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This would be something you configure via a firewall not active directory.

Aaron TomoskySD-WAN SimplifiedCommented:
What is doing your layer 3 routing? Sonicwall can do this, and so can other gear if it integrates with AD.
Jakob DigranesSenior ConsultantCommented:
You'd have to deploy 802.1X on wired and wireless infrastructure to accomplish this. Then you need:
* a Radius server. For instance Win2008/2012 server with NPS - or a 3rd party like Cisco ISE og Aruba Clearpass
* switces and access points able to do 802.1X authentication
* a GPO that deploys 802.1X settings to computers
* optionally, an internal PKI for server verification and possibly client authentication

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Steve KnightIT ConsultancyCommented:
Other question here is.... what do you mean by "access".

If you mean no IP communication at all then you are going to have to look at suggestions like above.
If you mean access services on those boxes then it is just down to the permissions you put into them.

Another method to stop casual access is to deploy a static route, either for the "wrong" users which points the test environment IP range to nowhere, or for the "right" users to add a route to the other VLAN.
Craig BeckCommented:
Like Jakob says, you need 802.1x.  As well as that though you also need your switches to support dACLs.
802.1x controls which devices/users can access a switch port, and which VLAN they may get placed on. It does not having anything to do with how the network routes traffic. It's actually unclear which the OP is looking for.
Craig BeckCommented:
It seems pretty clear to me.

The way to do it would be to use dACLs based on AD security-group.  Simple enough.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.