Kevin Turnbull
asked on
Control access to subnet via AD
Hi All
I’m hoping someone can point me in the right direction or give me some advice on how we can accomplish the below.
What I would like to do is control access to subnets via active directory security groups, so if a user is in a certain security group they will be denied access to one subnet and have access to all other subnets.
I’m currently running a VMware cluster which hosts my production and demo environments and I now need to separate our demo systems from our production environment. We are planning to keep our production environment on 192.168.3.0/24 and create a new subnet 192.168.4.0/24 and move all my demo systems into this subnet using VLAN’s. All my users’ desktops will be left on the production network (192.168.3.0/24). I need to restrict access to some of my users accessing the demo environment and I would like to control this through AD.
Can you please advise me how I would accomplish this or if this is a good way go?
Thanks
Tazz
I’m hoping someone can point me in the right direction or give me some advice on how we can accomplish the below.
What I would like to do is control access to subnets via active directory security groups, so if a user is in a certain security group they will be denied access to one subnet and have access to all other subnets.
I’m currently running a VMware cluster which hosts my production and demo environments and I now need to separate our demo systems from our production environment. We are planning to keep our production environment on 192.168.3.0/24 and create a new subnet 192.168.4.0/24 and move all my demo systems into this subnet using VLAN’s. All my users’ desktops will be left on the production network (192.168.3.0/24). I need to restrict access to some of my users accessing the demo environment and I would like to control this through AD.
Can you please advise me how I would accomplish this or if this is a good way go?
Thanks
Tazz
What is doing your layer 3 routing? Sonicwall can do this, and so can other gear if it integrates with AD.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Other question here is.... what do you mean by "access".
If you mean no IP communication at all then you are going to have to look at suggestions like above.
If you mean access services on those boxes then it is just down to the permissions you put into them.
Another method to stop casual access is to deploy a static route, either for the "wrong" users which points the test environment IP range to nowhere, or for the "right" users to add a route to the other VLAN.
If you mean no IP communication at all then you are going to have to look at suggestions like above.
If you mean access services on those boxes then it is just down to the permissions you put into them.
Another method to stop casual access is to deploy a static route, either for the "wrong" users which points the test environment IP range to nowhere, or for the "right" users to add a route to the other VLAN.
Like Jakob says, you need 802.1x. As well as that though you also need your switches to support dACLs.
802.1x controls which devices/users can access a switch port, and which VLAN they may get placed on. It does not having anything to do with how the network routes traffic. It's actually unclear which the OP is looking for.
It seems pretty clear to me.
The way to do it would be to use dACLs based on AD security-group. Simple enough.
The way to do it would be to use dACLs based on AD security-group. Simple enough.
Will.