10-20-2016 08:28 AM
I'm trying to return the Filter-Id string from Microsoft NPS to set a user roles in Instant.
Authentication is working fine, but the users keep getting the default role.
I have a string value set to be returned in the 'Settings' tab of the NPS server.
I'm using role based access control on the Instant AP. 'If Filter-Id equals <string> assing role <role>.
Is there some magic knob I'm forgetting to click?
Solved! Go to Solution.
10-20-2016 09:54 AM
Try "contains" instead of "matches"
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
10-20-2016 03:40 PM
Thanks for the reply.
Still not working after using 'contains'. I also tried returning the Aruba- User-Role VSA with vendor code 14823, with an appropriate rule setup in instant, but that didn't work either.
Is there any way to see the full packet that's being returned from the NPS server? I tried a 'debug pkt type radius' with a 'debug pkt dump.'
That showed me that a packet is coming back from the radius server, but didn't show me all the details. Is there a way to see those?
10-20-2016 03:43 PM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
10-20-2016 04:10 PM
Yes, I've tried that too.
I've also tried setting 'Filter-Id is the role' and 'Aruba-User-Role is the role' in the Instant GUI, but users keep getting the default role.
10-20-2016 04:30 PM
Oops... My apologies.
A deep study of the Windows Server Event viewer showed that the wrong rule was being hit in the NPS server. I need to play with the 'Conditions' tab in NPS.
But it's good to know that you can just return the Aruba-User-Role and no rule is needed in Instant.
10-20-2016 05:13 PM
So I realize that this is a Windows NPS issue, but has anyone seen this?
On the Network Policy, when I remove the condition that the user in the incoming request has to be a member of a certain user group, the policy works.
But when I specifiy the user group in the conditions, the policy is not hit.
I've checked that the user is a member of the group.
And the windows event log shows that the incoming request has the proper user name.