05-16-2022 07:31 AM
My question is when using Azure AD to sign in using SAML is there a way to declare the different groups having access to a certain vlan? So that the group of IT's automatically end up in a certain vlan different from when a user from a different group logs on.
05-18-2022 09:39 AM
Yes, this is possible, if you map the group claim attribute, then we can create policies with specific VLANs(or RADIUS attributes) based on those Groups.
In Azure, there is a limitation of getting the actual group name to come over via SAML. If they used Azure AD Connect Sync 220.127.116.11 or above and bring those groups from On-Premise AD, they will show up with the group name.
However, if the groups are not brought over from on-premise AD, we can still accomplish the use case but we need to filter based on the Object-ID of the group(i.e., c8fbf2ba-e5f4-4105-a942-481f396746b3)
As long as that group claim is mapped to "Group/Affliation Attribute" in SAML config on CP, then we can create a policy like this:
IF, Group = c8fbf2ba-e5f4-4105-a942-481f396746b3
THEN, VLAN = 1
Let me know if you have questions on this, if you provide your e-mail I can send you some screenshots.
05-18-2022 10:01 AM
I uploaded the screens as a ZIP file to Google Drive, let me know I can e-mail them as well:
Let me know if you have questions.
05-19-2022 02:59 AM
It sounds clear to me. Already thank you in advance this looks like a helpful solution.
Will try to config it later.
05-19-2022 01:40 PM
Not a problem, let me know how if you need any assistance.