Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Using Filter-Id from Microsoft NPS to set roles

Hi:

I'm trying to return the Filter-Id string from Microsoft NPS to set a user roles in Instant.

Authentication is working fine, but the users keep getting the default role.

 

I have a string value set to be returned in the 'Settings' tab of the NPS server.

I'm using role based access control on the Instant AP. 'If Filter-Id equals <string> assing role <role>.

 

Is there some magic knob I'm forgetting to click?

 

Thank you!

Guru Elite
Posts: 20,766
Registered: ‎03-29-2007

Re: Using Filter-Id from Microsoft NPS to set roles

 

Try "contains" instead of "matches"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Using Filter-Id from Microsoft NPS to set roles

Hi Colin:

Thanks for the reply.

Still not working after using 'contains'. I also tried returning the Aruba- User-Role VSA with vendor code 14823, with an appropriate rule setup in instant, but that didn't work either. 

 

Is there any way to see the full packet that's being returned from the NPS server? I tried a 'debug pkt type radius' with a 'debug pkt dump.'

That showed me that a packet is coming back from the radius server, but didn't show me all the details. Is there a way to see those?

 

Thanks!

Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: Using Filter-Id from Microsoft NPS to set roles

Just a side note, have you considered using the Aruba-User-Role VSA instead of filter-id? You would eliminate all of these extra steps.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Using Filter-Id from Microsoft NPS to set roles

Hi Tim:

Yes, I've tried that too.

I've also tried setting 'Filter-Id is the role' and 'Aruba-User-Role is the role' in the Instant GUI, but users keep getting the default role.

Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: Using Filter-Id from Microsoft NPS to set roles

You don't need any rules on the IAP side when using the Aruba VSA.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Using Filter-Id from Microsoft NPS to set roles

Oops... My apologies.

A deep study of the Windows Server Event viewer showed that the wrong rule was being hit in the NPS server. I need to play with the 'Conditions' tab in NPS.

 

But it's good to know that you can just return the Aruba-User-Role and no rule is needed in Instant.

Thank you.

Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Using Filter-Id from Microsoft NPS to set roles

So I realize that this is a Windows NPS issue, but has anyone seen this?

 

On the Network Policy, when I remove the condition that the user in the incoming request has to be a member of a certain user group, the policy works.

But when I specifiy the user group in the conditions, the policy is not hit.

 

I've checked that the user is a member of the group.

And the windows event log shows that the incoming request has the proper user name.

 

Puzzling....

 

Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Using Filter-Id from Microsoft NPS to set roles

I'll answer my own question.

You have to select "Windows Groups" in the Conditions tab.

Thank you.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: