Controller Based WLANs

What is NAS id and how to use it

by ‎06-01-2015 11:42 PM - edited ‎06-01-2015 11:42 PM
Requirement:

What is a NAS id?

It is primarily used to notify the source of RADIUS access request so that, the RADIUS server can choose  Policy for that request.

The source IP address of the Access-Request packet MUST be used to select the shared secret (RADIUS Client).

The NAS-Identifier Attribute will have a field of string type, which will carry the actual NAS id. This id can be a FQDN of the NAS or any unique string to identify the NAS.

In Aruba box, NAS id can be configured in “Authentication-Server” along with RADIUS Client (Host) and Shared secret (Key).



Solution:
 

How to use NAS id:

Scenario 1 : Two SSID's (example SSID 1 & SSID 2), both uses same RADIUS server (Microsft IAS/NPS), we want user A (Admin) can connect (Authenticated ) only to SSID 1, and USER B (TAC) can connect (Authenticated ) only to SSID 2.

 

Aruba Controller can send multiple RADIUS attributes along with the RADIUS request such as,

  • Aruba-Essid-Name
  • Aruba-Location-Id
  • Aruba-AP-Group
  • Aruba-User-Vlan etc..

But, IAS/NPS cannot distinguish these attributes while evaluating the policy, it can determine only the NAS id hence we need to send unique NAS ids from the Controller.

The above scenario can be accomplished by defining two different “RADIUS-servers” profile pointing to the same RADIUS server with two different NAS ids.

 

 

 



Configuration:
 

SSID-1-Server,

SSID-2-Server,

 

  1. Now map These Servers to two different server-groups (Group-1 and Group-2)
  2. Map Group-1 to AAA-Profile-1, AAA-Profile-1 to VAP-1 where SSID-1 is mapped.
  3. Map Group-2 to AAA-Profile-2, AAA-Profile-2 to VAP-2 where SSID-2 is mapped.
  4. Create a Remote access policy in IAS/NPS which will be mapped to AD-Gorup and NAS-id as an additional parameter to match the policy. ( User group and NAS-id both should match)

 



Verification

As per the scenario,

1. there are two SSIDs SSID1 and SSID2 are created and mapped to two different AAA profiles.

2. these AAA profiles are mapped to two different server groups pointing to the same server.

3. Two RADIUS servers are configured with NAS id as SSID-1 and SSID-2 and mapped to the same server group.

4. Two policies are configured in the IAS server with NAS id as one of the the condition along with the user group "Manager"  for matching the policy and returns role "Manager1" and "Manager2" as attributes.

5. User "Jack" member of Manager group is used for testing, when jack connected to SSID1 , will be mapped to "Manager1" role and the same jack connected to SSID2, will be mapped to "Manager2" role

Setup is tested and the outputs are shown as under.

Policies matching with NAS ids

Mapping different policies to the same user, jack belongs to the same user group, "Manager" :

User jack is assigned to Manager1 role when connected to SSID1 :

User jack is assigned to Manager2 role when connected to SSID2 :

 

Comments
chuckster_ca

This is exactly what I want to do but in a Novell/edir environment. We have an Aruba 3600 contoller and freeradius running on OES 11. Freeradius would go and check edirectory.  We need to create the policy in free radius such a way that, IF the NAS-ID = Student, the radius server should check the user-group student for validation and authenticate the user for mschapv2. If the NAS-ID = Staff, the radius server should validate the user against Staff usergroup in edirectory and send the radius success for mschapv2.

Where do I fend the NAS-ID attribute in edirectory?

Guru Elite Guru Elite
NAS-ID is from controller to RADIUS server. 


Thanks, 
Tim
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.