Enterprise Lockdown

Reply
New Contributor
Posts: 3
Registered: ‎08-20-2010

Microsoft IAS cannot read Aruba ESSID VSA

Requirement: (2) SSIDs and (2) associated AD Groups. We are looking to use Microsoft IAS as RADIUS for authentication, however it does not seem to be able to read the ESSID info that the controller is sending to it. We want to control access to specific ESSID based on Active Directory Group membership (i.e. Student .vs Staff). This requires that the RADIUS server knows what ESSID the client is attempting to associate to. While we can see in the IAS log that the controller is sending the ESSID, the IAS does not recognize the attribute.

I can see in the support site that there are Aruba dictionaries that you can use, but none of them are for MS IAS.

We have successfully restricted network access based on Group Membership under a single ESSID which basically yields the same level of security; however this requires the purchase of PEF. (not a bad thing I love the PEF, but customer does not want to buy PEF).

Has anyone “out there” successfully done this using MS IAS (2003, 2008, etc… Any version would do).
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Microsoft IAS cannot read Aruba ESSID VSA

One of the Aruba engineers came up with a brilliant work around. Create a separate server group for each eSSID and the set the NAS-ID in the server group to match the eSSID. That way, you can use a standard RADIUS attribute (NAS-ID) in your IAS rules to enforce per-SSID policies. Works perfectly. The only down side would be creating multiple AAA groups, but if you only have 2 eSSIDs, you are OK.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Microsoft IAS cannot read Aruba ESSID VSA

BTW - this was done on NPS, but IAS should be the same.
New Contributor
Posts: 3
Registered: ‎08-20-2010

Re: Microsoft IAS cannot read Aruba ESSID VSA

Thx!! I'm gonna cook this up in the lab and take it for a test drive.

*******************************************************

Test Drive is Successful!!!!!

Thanx Olino!!!!!!
Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: Microsoft IAS cannot read Aruba ESSID VSA

Can some elaborate how this was done? Where do we configure the server groups?

Thanks.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Microsoft IAS cannot read Aruba ESSID VSA

Server groups can be configured in the GUI by clicking on Configuration > Authentication > Server Group (click the word server group, not just the +). You can add a new group from there.

Before you add the group, you should create your authentication servers (RADIUS, probably) under Configuration > Authentication > RADIUS Server. When you create the server, there is a field called NAS-ID. Set the NAS-ID to be the name of you SSID (eSSID).

Now, in NPS/IAS (or any other RADIUS server, probably) you can assign a rule that says "if the NAS-ID is , do x", where x is any policy that the RADIUS server supports (return an attribute, enforce a Microsoft policy check, etc).
Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: Microsoft IAS cannot read Aruba ESSID VSA

Thanks for the reply. So you'rd saying we could setup one set of authentication servers which could pass SSID01 as the NAS-ID. The second set of authentication servers could pass SSID02 as the NAS-ID. Like the scenario below.

I wanted to clarify that even though they are 2 different sets they can be the same authentication servers.

Set A
Auth Server 1
Auth Server 2
NAS-ID = SSID01

Set B
Auth Server 1
Auth Server 2
NAS-ID = SSID02
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Microsoft IAS cannot read Aruba ESSID VSA

Not quite. When I re-read my post, thats what it sounded like to me too.. sorry.

What I am saying is:

Server group A
auth server 1a, nas-id SSID01
auth server 2a, nas-id SSID01

Server group B
auth server 1b, nas-id SSID02
auth server 2b, nas-id SSID02

Note that there will be a server group per SSID and each auth server will have a config entry per SSID.
Search Airheads
Showing results for 
Search instead for 
Did you mean: