Security

Reply
Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

802.1x/Windows NPS/AD failed auth/redirect?

Hey All,

 

As stated in the title I am using .1x with Windows NPS/AD to authentical users.  Has anyone figured out a way to redirect users to a Captive Portal Profile if their AD credential are no good?

 

Thanks,

 

Rif

Aruba
Posts: 1,636
Registered: ‎04-13-2009

Re: 802.1x/Windows NPS/AD failed auth/redirect?

This is not possible.   When you enable 802.1X on a profile and the RADIUS server returns an access deny;  this will supercede any other role assignments, including the intial role and mac-auth role.      This is specific to the 802.1X on wireless; a wired 802.1X authenticated port can fail to another method or bypass.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: 802.1x/Windows NPS/AD failed auth/redirect?

Thank you for the reply.  So there is nothing the controller can do with the " access deny" message from radius.  There is no way to tell the controller if you get the " access deny" message do x, y, or z?

 

Thanks again,

 

Rafael

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: 802.1x/Windows NPS/AD failed auth/redirect?

nope, deny is deny.

 

you might look into allow and then putting in a limited role.

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: 802.1x/Windows NPS/AD failed auth/redirect?

Ah, ok, where would the config be for allowing the denied user into a limited role?

 

Thanks,

 

Rafael

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: 802.1x/Windows NPS/AD failed auth/redirect?

what do you use next to NPS, so your (i assume) wireless network equipment?

 

if that is aruba you could look into setting a filter-id in NPS and use that on the controller to determine the role.

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: 802.1x/Windows NPS/AD failed auth/redirect?

Yea, Aruba 3400 controller.  so you are saying if a .1x user fails authentication I can have NPS send a filter-id and match that to a role assignment?

 

Thanks,

 

Rafael

MVP
Posts: 1,405
Registered: ‎11-30-2011

Re: 802.1x/Windows NPS/AD failed auth/redirect?

oh, no sorry, that wont work, you need to get the request allowed and then send a filter ID with it. deny is deny, meaning no access.

 

dont have a NPS around current, but isnt there some final catch all statement which default to deny, cant you turn that to allow with a filter ID?

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: 802.1x/Windows NPS/AD failed auth/redirect?

I am not sure, gotta ask my systems guy...

 

rafael

Aruba
Posts: 1,636
Registered: ‎04-13-2009

Re: 802.1x/Windows NPS/AD failed auth/redirect?

[ Edited ]

Once a user fails authentication, they are not allowed access.  There is no fallback role or method allowed.  This is a limitation of the protocols and supplicants, not Aruba and not NPS.

 

I've seen multiple use cases for this.   The idea would be to have an "allow-all-devices" method if user auth fails; then place the "allow-all-devices" into a separate role (captive portal to register for example).  It is nice in theory, but not sure if/when we'd see anything like that.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: