Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP Admiistrative Access via Radius on MS Server 2008 + NPS

This thread has been viewed 0 times

  • 1.  IAP Admiistrative Access via Radius on MS Server 2008 + NPS

    Posted Aug 19, 2012 12:29 PM

    I have two network policies defined in NPS on my W2K8R2 server for administrative access to my rap3. 

     

    The one allowing unfettered admin access is working, but the one that's supposed to allow for read-only access is not doing that; rather, it's providing the same level of access as the admin policy. 

     

    What am I missing?  I tried the "Authorize only" and "Login" service-type, but my test login still has full access.

     

    Thanks in advance,

     

    John

     

     

     

     



  • 2.  RE: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

    EMPLOYEE
    Posted Aug 19, 2012 01:13 PM
    @u35828 wrote:

    I have two network policies defined in NPS on my W2K8R2 server for administrative access to my rap3. 

     

    The one allowing unfettered admin access is working, but the one that's supposed to allow for read-only access is not doing that; rather, it's providing the same level of access as the admin policy. 

     

    What am I missing?  I tried the "Authorize only" and "Login" service-type, but my test login still has full access.

     

    Thanks in advance,

     

    John

     

     

     

     

    What are you using on the NPS side to differentiate the read-only users?  You should make the default role "no-access" so that users that do not explicitly match an attribute do not get  in?

     

    noaccess.png



  • 3.  RE: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

    Posted Aug 19, 2012 03:01 PM

    My admin screen looks a little different on the rap-3:

     

    iap-admin.jpg

     

    On my AD server, the network policy for read-only access is defined as such:

     

    nps-readonly.jpg

     

    Users in the radius-readonly group have read access to other network devices, based on other RO policies defined.



  • 4.  RE: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

    EMPLOYEE
    Posted Aug 19, 2012 03:15 PM

    Sorry.  That is what I get for NOT reading.

     

    You DID say RAP3.  I did not see that.  

     

    I



  • 5.  RE: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

    Posted Aug 19, 2012 09:13 PM

    No worries.  I did check out the Instant User Guide_6.1.3.1-3.0.0.0.pdf file, and saw something that caught my eye (pages 101-102)...the list of supported VSAs.  Of particular interest was the one called Aruba-Admin-Role.

     

    I guess the question is whether or not the RAP 3 supports the RADIUS Server VSAs referenced in the 6.1.3.1 users guide.

     

    I would assume that something on the NPS would have to be configured to deal with those VSAs, but I have no idea on how to create them (read:  M$ configuration wizards are a little less than helpful).



  • 6.  RE: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

    Posted Jun 04, 2014 10:07 PM

    hi do you have a step by step for this i have tried and failed

     



  • 7.  RE: IAP Admiistrative Access via Radius on MS Server 2008 + NPS

    EMPLOYEE
    Posted Jun 05, 2014 04:13 AM

    Please see the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1320