We’ve had a request from a mutual client asking if there will ever be the ability to configure Application Control to filter by Group, or indeed by User. Are there any plans to add this to its functionality in the future?
You can configure Application Control filtering by groups. That is, if you have users authenticate using a Radius server and the server passes back a group value then any Application based filter rule in the filter list for that group will get applied to the user. Radius based groups is also how you can also place users into different VLANs.
You will need to configure groups and the related filter lists with User-Defined Overrides in cnMaestro.
I don’t think Application Control applied on an individual user basis is necessary as by groups should be sufficient.
Many thanks for replying Pete.
Earlier today I had a response from Cambium Support stating that neither were possible currently.
The customer is using RADIUS functionality to authenticate users, but this is handled via a third party product that sits between their APs and AD. It does pass a group membership attribute back, but not quite in the same way that MS NPS would, if communication was direct. They are also using XMS-C rather than cnMaestro. Would you happen to know of any white papers published that might help me?
If you are using XMS-C then maybe you can get the proper group information back from the Radius server to the APs upon user authentication and then group based Application Control filters can be applied to user traffic. What needs to be sent back from the Radius server to the AP is a value such as, Filter-Id = “staff”. This is what the AP uses as a group ID.
You can configure groups in XMS-C and create Application Control filter rules for all the groups you expect to receive from the Radius server. You should be familiar with XMS-C and Profiles which is how APs are configured. You can obtain the XMS-C user guide from the support website, support.cambiumnetworks.com.
Once a Profile has been created, go to the Policies. See screenshot.
Then go down to the User Group Policies section and click to create new User Group Policy. See screenshot.
Now name the new User Group Policy and supply the Radius Filter-ID. This value has to match what the AP receives from the Radius server. See screenshot.
Once the User Group Policy has been created you can then click to add a filter rule. See screenshot.
Select Application Control for type of filter rule and fill in the values as desired. See screenshot.
And that is it. An Application Control filter rule will now be applied to all users in the staff user group. See screenshot.
If I find any related white papers I will let you know.
Many thanks Pete. This is very much appreciated.