Security

Hey All,

 

As stated in the title I am using .1x with Windows NPS/AD to authentical users.  Has anyone figured out a way to redirect users to a Captive Portal Profile if their AD credential are no good?

 

Thanks,

 

Rif

This is not possible.   When you enable 802.1X on a profile and the RADIUS server returns an access deny;  this will supercede any other role assignments, including the intial role and mac-auth role.      This is specific to the 802.1X on wireless; a wired 802.1X authenticated port can fail to another method or bypass.

Thank you for the reply.  So there is nothing the controller can do with the " access deny" message from radius.  There is no way to tell the controller if you get the " access deny" message do x, y, or z?

 

Thanks again,

 

Rafael

nope, deny is deny.

 

you might look into allow and then putting in a limited role.

Ah, ok, where would the config be for allowing the denied user into a limited role?

 

Thanks,

 

Rafael

what do you use next to NPS, so your (i assume) wireless network equipment?

 

if that is aruba you could look into setting a filter-id in NPS and use that on the controller to determine the role.

Yea, Aruba 3400 controller.  so you are saying if a .1x user fails authentication I can have NPS send a filter-id and match that to a role assignment?

 

Thanks,

 

Rafael

oh, no sorry, that wont work, you need to get the request allowed and then send a filter ID with it. deny is deny, meaning no access.

 

dont have a NPS around current, but isnt there some final catch all statement which default to deny, cant you turn that to allow with a filter ID?

I am not sure, gotta ask my systems guy...

 

rafael

Once a user fails authentication, they are not allowed access.  There is no fallback role or method allowed.  This is a limitation of the protocols and supplicants, not Aruba and not NPS.

 

I've seen multiple use cases for this.   The idea would be to have an "allow-all-devices" method if user auth fails; then place the "allow-all-devices" into a separate role (captive portal to register for example).  It is nice in theory, but not sure if/when we'd see anything like that.

Looks like peeps doing it with freeradius -

 

http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/NPS-RADIUS-and-selecting-role-on-a-failed-auth/td-p/6874

Yes, but that example given is not for PEAP authentication with AD: it is using the USERS config file for management logins.   I am not sure it would work with 802.1X auths.  If you (or anyone) is aware of how this can be done, please share with the group.

Ah yes I see that now so that case has a USER config file some how pre populated with users and their creds if a user comes on the network Aruba will check that drop down through all the users in the file until it hits that last DEFAULT Group element and return a filter-id Aruba can associate with another role.  Right, so the trick here would be to get freeradius to send something usable back to the controller when AD tell freeradius that the user's auth attempt has failed...

 

Rafael

I've been thinking about this... But with clearpass not NPS.

Are you wanting to do this for all devices or just domain joined devices (ie windows laptops).

All devices.

 

Rafael

Yea I know with clearpass you could do this and use a second open ssid to handle the failed authentication. And would place client in a vlan to remediate. But not sure you can with "all devices" on a dot1x. I think that is why more networks are going to certificates to authenticate.

sdr53 how would you do this with two SSIDs? do you suggest you can forward something or such?

 

r.ertel do you have access to your NPS? cant you create a Network Policy with pretty much no checks with just allows access? not sure if this will work, but it might.

Well it's fairly complex but based on authenticating against a database that is a log of your 802.1x network you can check to see if they authenticated and then they failed most recently. When they connect to the open ssid because they can't connect to the dot1x they get redirected to a self service password reset.

It might be along shot for your environment. But not sure what your open ssid looks like if you even have one.

sounds interesting but feels a little dependent on how client exactly behave, does this always work for you?