Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 10
Registered: ‎03-30-2011

IAP Admiistrative Access via Radius on MS Server 2008 + NPS

I have two network policies defined in NPS on my W2K8R2 server for administrative access to my rap3. 

 

The one allowing unfettered admin access is working, but the one that's supposed to allow for read-only access is not doing that; rather, it's providing the same level of access as the admin policy. 

 

What am I missing?  I tried the "Authorize only" and "Login" service-type, but my test login still has full access.

 

Thanks in advance,

 

John

 

 

 

 

Guru Elite
Posts: 19,974
Registered: ‎03-29-2007

Re: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

[ Edited ]

u35828 wrote:

I have two network policies defined in NPS on my W2K8R2 server for administrative access to my rap3. 

 

The one allowing unfettered admin access is working, but the one that's supposed to allow for read-only access is not doing that; rather, it's providing the same level of access as the admin policy. 

 

What am I missing?  I tried the "Authorize only" and "Login" service-type, but my test login still has full access.

 

Thanks in advance,

 

John

 

 

 

 


What are you using on the NPS side to differentiate the read-only users?  You should make the default role "no-access" so that users that do not explicitly match an attribute do not get  in?

 

noaccess.png

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 10
Registered: ‎03-30-2011

Re: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

My admin screen looks a little different on the rap-3:

 

iap-admin.jpg

 

On my AD server, the network policy for read-only access is defined as such:

 

nps-readonly.jpg

 

Users in the radius-readonly group have read access to other network devices, based on other RO policies defined.

Guru Elite
Posts: 19,974
Registered: ‎03-29-2007

Re: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

Sorry.  That is what I get for NOT reading.

 

You DID say RAP3.  I did not see that.  

 

I

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 10
Registered: ‎03-30-2011

Re: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

[ Edited ]

No worries.  I did check out the Instant User Guide_6.1.3.1-3.0.0.0.pdf file, and saw something that caught my eye (pages 101-102)...the list of supported VSAs.  Of particular interest was the one called Aruba-Admin-Role.

 

I guess the question is whether or not the RAP 3 supports the RADIUS Server VSAs referenced in the 6.1.3.1 users guide.

 

I would assume that something on the NPS would have to be configured to deal with those VSAs, but I have no idea on how to create them (read:  M$ configuration wizards are a little less than helpful).

New Contributor
Posts: 4
Registered: ‎08-13-2013

Re: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

hi do you have a step by step for this i have tried and failed

 

Guru Elite
Posts: 19,974
Registered: ‎03-29-2007

Re: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

Please see the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1320

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: