CommScope RUCKUS Community Forums

dennisvb · ‎05-16-2022

Hey,

My question is when using Azure AD to sign in using SAML is there a way to declare the different groups having access to a certain vlan? So that the group of IT's automatically end up in a certain vlan different from when a user from a different group logs on.

pierce_larsen · ‎05-18-2022

Dennis,

Yes, this is possible, if you map the group claim attribute, then we can create policies with specific VLANs(or RADIUS attributes) based on those Groups.

In Azure, there is a limitation of getting the actual group name to come over via SAML. If they used Azure AD Connect Sync 1.2.70.0 or above and bring those groups from On-Premise AD, they will show up with the group name.

However, if the groups are not brought over from on-premise AD, we can still accomplish the use case but we need to filter based on the Object-ID of the group(i.e., c8fbf2ba-e5f4-4105-a942-481f396746b3)

As long as that group claim is mapped to "Group/Affliation Attribute" in SAML config on CP, then we can create a policy like this:

IF, Group = c8fbf2ba-e5f4-4105-a942-481f396746b3

THEN, VLAN = 1

Let me know if you have questions on this, if you provide your e-mail I can send you some screenshots.

Thanks,

Pierce

pierce_larsen · ‎05-18-2022

Dennis,

I uploaded the screens as a ZIP file to Google Drive, let me know I can e-mail them as well:

https://drive.google.com/file/d/1YXsK4oaZMTv3g2E4jc_pIege-dZNI6_q/view?usp=sharing

Let me know if you have questions.

Thanks,

Pierce

dennisvb · ‎05-19-2022

Hi Pierce,

It sounds clear to me. Already thank you in advance this looks like a helpful solution.
Will try to config it later.

thanks,
Dennis

pierce_larsen · ‎05-19-2022

Not a problem, let me know how if you need any assistance.

Thanks,

Pierce

CommScope RUCKUS Community Forums

Cloudpath and Azure AD SAML Authentication with different groups