NGAF issue

msj Lv1Posted 2024-Jul-17 14:57

Hi,
I have NGAF, and I want only domain devices should access the internet and if any unknown domain device or guest device connect to internal network should not access the internet.
Kindly suggest how to achieve that.

Product Name & Version No.: M4500-F-I & version 8.0.47

Thank You

Enrico Vanzetto has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi, you can achieve it by create a dedicated vlan on your netwrok environment for your domain users. You need to setup a radius server (you can look it for nps role on windows server) to allow the domain users to connect on this network. After that, on ngaf, you can allow only for this newly created vlan to go to internet without restrictions. About other networks (guest for example) you can create a dedicated vlan with ngaf as dhcp server and block internet access with a policy. This to achieve network isolation between domain clients and guest clients.
Is this answer helpful?
Enrico Vanzetto Lv4Posted 2024-Jul-17 16:09
  
Hi, you can achieve it by create a dedicated vlan on your netwrok environment for your domain users. You need to setup a radius server (you can look it for nps role on windows server) to allow the domain users to connect on this network. After that, on ngaf, you can allow only for this newly created vlan to go to internet without restrictions. About other networks (guest for example) you can create a dedicated vlan with ngaf as dhcp server and block internet access with a policy. This to achieve network isolation between domain clients and guest clients.
jerome_itable Lv3Posted 2024-Jul-17 17:15
  
you can achieve this level of access control using Domain Authentication and Access Control Lists (ACLs) on your Sangfor NGAF M4500.

Here's how:

1. Domain Authentication:

    Configure your Sangfor NGAF to use your organization's Active Directory or LDAP server for user authentication. This allows the NGAF to verify if a device attempting to access the internet belongs to your domain.

2. Access Control Lists (ACLs):

    Create two ACLs:
        Allow Rule: This rule will allow internet access for devices authenticated by your domain.
        Deny Rule: This rule will deny internet access for any device that fails domain authentication (unknown devices or guest devices).

Here's a general breakdown of the ACL configuration steps (consult the Sangfor NGAF M4500 v8.0.47 manual for specific interface details):

* Go to the **Security** --> **Policy Control** --> **Access Control** section in the NGAF management console.
* Create a new ACL rule (likely under "Web Filter" or similar section).
* In the **Source** section, select the interface where devices connect to the network (e.g., LAN interface).
* In the **Destination** section, select "any" or specific internet objects (e.g., "Internet Any").
* In the **Service** section, select "HTTP", "HTTPS", and any other internet protocols you want to allow/deny (e.g., FTP, VPN).
* In the **Action** section:
    * For the **Allow Rule:** Set the action to "Permit".
    * For the **Deny Rule:** Set the action to "Deny".
* Under **Advanced Options**,  choose **User/Device** authentication type.
* In the **User/Device** section:
    * For the **Allow Rule:** Select "Domain Users" or a similar group containing your domain devices.
    * For the **Deny Rule:** Leave this empty or select "All" to encompass any device not authenticated by the domain.

3. Applying the ACLs:

    Once you've created both ACL rules, create a new security policy.
    In the security policy configuration, attach the two ACLs you created:
        The Allow Rule should be placed at a higher priority (usually placed on top) compared to the Deny Rule. This ensures that domain-authenticated devices get priority for internet access.
        The Deny Rule should be placed below the Allow Rule to catch any unmatched traffic.
    Assign the security policy to the appropriate interface (e.g., LAN interface) where devices connect.

Additional Considerations:

    You may need to create separate rules or policies for specific guest network access needs, if applicable.
    For more granular control, you can define device groups based on IP address ranges or MAC addresses to further restrict or allow internet access.
Newbie290036 Posted 2024-Jul-17 20:15
  
To achieve this on your Sangfor NGAF M4500-F-I v8.0.47, you can configure the "Domain Isolation" feature. This feature allows you to isolate specific domains to the internet, while denying access to unknown or guest devices. To do this, go to the NGAF web interface, navigate to "Policy" > "Domain Isolation", and create a new policy. Select the domain(s) you want to isolate and set the "Outbound Access" to "Allow". Then, create a new rule with a "Source" of "Unknown" and set the "Action" to "Deny". This will block any unknown devices from accessing the internet. Finally, make sure to enable the policy and apply it to your desired zones or interfaces. This way, only authorized domain devices will be able to access the internet, while unknown or guest devices will be blocked.
CLELUQMAN Lv4Posted 2024-Jul-18 09:17
  
you can set authentication policy .
Farina Ahmed Lv5Posted 2024-Jul-18 17:46
  
For this, configure access control policies based on user authentication. Enable 802.1x authentication or integrate with your domain controller to enforce policies that only allow authenticated domain users to access the network. Any device not authenticated or recognized by the domain will be blocked from accessing the internet.
Tayyab0101 Lv2Posted 2024-Jul-18 17:56
  
you need to create a dedicated vlan on your netwrok environment for your domain users only.
msj Lv1Posted 2024-Jul-18 18:02
  
We already segregate all networks like management vlan 50, user vlan 10, server vlan 30 and guest 60. DHCP we configure on ngaf and SSO but due to logout issue and internet stop working once they connect back until they restart or logout/login  2-3 times. Currently I allowed whole network in policy instead of LDAP users. I will try domain isolation and other methods explain by other members. Most probably I will try next all these options.

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
138
3

Started Topics

Followers

Follow

Board Leaders