Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor II
Posts: 12
Registered: ‎07-13-2010

NPS RADIUS and selecting role on a failed auth

I'm hoping someone has setup something similar to what we're trying to achieve. We're building a PEAP/WPA2 SSID which backends to a Windows NPS RADIUS server that's doing AD authentication.

We want to take failed authentications (either UserID not found or password mistypes) and send a RADIUS attribute back to the Aruba controller which will set the role of the user to some type of quarantine.

The problem is, I cannot seem to get NPS RADIUS to cooperate with me. The server either discards or denies access based on the incorrect userID or password instead of falling through to a rule which I created that basically says "allow this user, whoever it is, but here's the RADIUS attribute to quarantine them".

Has anyone hacked something similar together? Can you give me a pointer (even if it's not exactly the path I'm going down) to achieve the goal?

Thanks for reading.
Eric
Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Nps

Well, I have good news and bad news. The bad news is that NPS does not send back an attribute on failure. The good news is that Freeradius can and will do that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎07-13-2010

Re: NPS RADIUS and selecting role on a failed auth

Colin, thanks for the response. I'm actually a step removed from trying to get the NPS to send an attribute with the RADIUS-reject. Instead, I'm hoping to just get the NPS to authenticate ANY user, but for the ones whose user/pass is correct (i.e. in AD), they get a real authN/authZ.... the ones who aren't in AD fall through to a different policy (which is what I'm struggling to build properly and hoping for help on) and get authenticated... but the RADIUS attribute that's sent back in this particular RADIUS-accept quarantines them.

For some reason, it's seems easiest to put this into a faux-programming language

if (user partof AD and password correct)
RADIUS-accept
else
{
RADIUS-accept
RADIUS Filter-ID = quarantine
}

...or maybe there's a way to trick AD into authenticating everyone and sending it's own "attribute" back to NPS that I can quarantine on?

And, for clarification, we're running FreeRADIUS all over the place for other services, but are finding we like the user experience of PEAP for WPA2. Because of that, we went down the NPS path because it's my understanding that trying to get a FreeRADIUS box to backend to AD is a nightmare and somewhat unstable - in other words, a Windows box that's part of the domain is a stabler design for PEAP/AD. I'd be happy to hear that I'm wrong though :)

TIA
Aruba Employee
Posts: 10
Registered: ‎03-07-2008

Re: NPS RADIUS and selecting role on a failed auth

Eric, I am not versed in NPS, but I have this working with FreeRADIUS in my lab. The use of the keyword DEFAULT is what you are looking for. In my USERS config file, I have the following which allows any user that types in any username/password combination to be authenticated and passed an attribute from FreeRADIUS. If the username is in the file and the password is incorrect, they will simply be REJECTED.

The attribute can be anything that you want to key on for role derivation.

kgriffin User-Password == "changeme"
Aruba-Priv-Admin-User = 1,
Filter-ID = authenticated

DEFAULT Group == "NoAuthentication", Auth-Type := Accept
Aruba-Priv-Admin-User = 0,
Filter-ID = somerole

This statement MUST be at the end of the user declarations for it to not cause security issues. The Group attribute is irrelevant in this case. The Filter-ID is what sets the role, in my case.
Occasional Contributor II
Posts: 12
Registered: ‎07-13-2010

Re: NPS RADIUS and selecting role on a failed auth

Kelly, thanks.... I think you and I were talking through Mike Miller who had sent me something similar (your kgriffin password was funnier in email, though~). I wish I could use FreeRADIUS for this - I'm much more comfortable with it, but I feel like PEAP w/ AD is forcing me down the path of NPS :rolleyes:

If anyone has experience with FreeRADIUS authenticating to AD, maybe that should be what I'm asking for.... thoughts?
Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Quite a Few

"Authenticating against Active Directory is a common deployment of FreeRADIUS" http://deployingradius.com/documents/configuration/active_directory.html


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: