Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-PEAP & EAP-TLS co-existing using same MS NPS server

This thread has been viewed 0 times

  • 1.  EAP-PEAP & EAP-TLS co-existing using same MS NPS server

    Posted Oct 01, 2014 04:05 AM

    Hi Guys,

     

    Trying to work out the *best* way to achieve this if possible. Its been a long time between Aruba lunches so just getting back into the swing of things and thoughts are apprecated!

     

    Setup - dual controllers, single corporate NPS server, single airwaves server. No clearpass.

     

    SSID 1 - full access - Corporate devices auth'd via machine certs - EAP-TLS using corporate MS NPS server

    SSID 2 - internet access only - BYOD devices auth'd via EAP-PEAP - using corporate the same MS NPS server.

     

    We definitely do not want any misconfiguration on NPS policy that would allow users to get their xPhones & xPads onto SSID 1 via PEAP.

     

    We ideally do not want corporate laptops on SSID 2 by default (although not sure if this is too much effort to try and block)

     

    They have an existing "basic" setup for SSID 1 - about as complex the NPS policy gets is checking computer is member of a group (plus cert of course).

     

    Is there an achievable way to get this happening without breaking too much of the existing setup?

     

    Would it help simplicity to farm off the auth for SSID 2 to another radius box?

     

    cheers,

    Pete

     

     



  • 2.  RE: EAP-PEAP & EAP-TLS co-existing using same MS NPS server
    Best Answer

    EMPLOYEE
    Posted Oct 01, 2014 08:36 PM

    The second radius box would be the best (and probably the only) way.

     

     There is little flexibility within NPS to enforce PEAP vs. EAP-TLS in a single NPS installation.  The NPS box also cannot tell which SSID the authentication came in on to contrict an EAP type to an SSID.



  • 3.  RE: EAP-PEAP & EAP-TLS co-existing using same MS NPS server

    EMPLOYEE
    Posted Oct 02, 2014 03:01 AM

    You could have different server-groups such that the radius-server profiles are identical except they send different NAS-Identifier.

     

    You can then have different policies on the NPS that filter on those NAS-Identifiers, like this.

     

    NPS-Auth.jpg

     

    I thought on NPS you can also specify the auth method like this,

     

    NPS-Auth.jpg

     

    I've actually done what you describe using only a single ssid and dynamic server selection.  Basically, anything that is not a domain machine gets sent with a NAS-Identifier=mobile.  The NPS policy filters on that and returns an attribute of Filter-ID=mobile.  Server rule defined such that if Filter-ID=mobile then role=mobile.  That role is mapped to the guest vlan, and the users don't consume the mpls resources.