Control access to subnet via AD

Hi All

I’m hoping someone can point me in the right direction or give me some advice on how we can accomplish the below.

What I would like to do is control access to subnets via active directory security groups, so if a user is in a certain security group they will be denied access to one subnet and have access to all other subnets.

I’m currently running a VMware cluster which hosts my production and demo environments and I now need to separate our demo systems from our production environment. We are planning to keep our production environment on 192.168.3.0/24 and create a new subnet 192.168.4.0/24 and move all my demo systems into this subnet using VLAN’s. All my users’ desktops will be left on the production network (192.168.3.0/24). I need to restrict access to some of my users accessing the demo environment and I would like to control this through AD.

Can you please advise me how I would accomplish this or if this is a good way go?

Thanks
Tazz
Kevin TurnbullIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This would be something you configure via a firewall not active directory.

Will.
Aaron TomoskyDirector of Solutions ConsultingCommented:
What is doing your layer 3 routing? Sonicwall can do this, and so can other gear if it integrates with AD.
Jakob DigranesSenior ConsultantCommented:
You'd have to deploy 802.1X on wired and wireless infrastructure to accomplish this. Then you need:
* a Radius server. For instance Win2008/2012 server with NPS - or a 3rd party like Cisco ISE og Aruba Clearpass
* switces and access points able to do 802.1X authentication
* a GPO that deploys 802.1X settings to computers
* optionally, an internal PKI for server verification and possibly client authentication

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Steve KnightIT ConsultancyCommented:
Other question here is.... what do you mean by "access".

If you mean no IP communication at all then you are going to have to look at suggestions like above.
If you mean access services on those boxes then it is just down to the permissions you put into them.

Another method to stop casual access is to deploy a static route, either for the "wrong" users which points the test environment IP range to nowhere, or for the "right" users to add a route to the other VLAN.
Craig BeckCommented:
Like Jakob says, you need 802.1x.  As well as that though you also need your switches to support dACLs.
kevinhsiehCommented:
802.1x controls which devices/users can access a switch port, and which VLAN they may get placed on. It does not having anything to do with how the network routes traffic. It's actually unclear which the OP is looking for.
Craig BeckCommented:
It seems pretty clear to me.

The way to do it would be to use dACLs based on AD security-group.  Simple enough.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.