Security

Hey guys, I have a rather dumb question. I have a customer with CPPM with a big list of radius service policies that I setup for admin access to various vendors, Aruba, Palo Alto, Cisco, Checkpoint. The service rules for the policies are very basic and only consist of the source device group that I setup for each one respectivly and then each one has its own specific list of enforcement policies.

 

Everything works great, however we are looking to migrate radius authentication for wireless users over to this CPPM and I can't figure out how to keep the regular user authentications from hitting the admin service policy. Seems like this should be pretty simple. I normally use the Aruba-Essid-Name equals to seperate out policies for different WLANs but I can't figure out how to seperate Admins.

 

Thanks,

Put your wireless RADIUS rules higher in the list as they will have more attributes like SSID. 

You could also consider using TACACS+ for management AAA as its a bit more robust. 

The SSID attribute actually shows up when an Admin tries to authenticate to a controller itself when they are on one of the Aruba wireless networks which I thought was kind of odd. I found this out when I tried putting in Radius:Aruba Aruba-Essid-Name Not Exist in the policy trying to keep it seperate. This works except when an admin is on the wireless network they can't admin a controller. 

Does your wireless service include the following?

 

Radius:IETF -- NAS-Port-Type -- EQUALS -- Wireless-802.11 (19)

 

OR

 

Try adding the following to your admin login service:

 

Radius:IETF -- Service Type -- EQUALS -- Administrative-User (6)

 

 

 

Thanks, I will give this a try tomorrow and let you know if it works as a way to seperate the policies. 

Radius:IETF:Service-Type (6)

 

 

 

Adding this to the admin service rule let me seperate admin users vs wireless users. Thank you very much!