Security

Reply
Contributor I
Posts: 31
Registered: ‎07-24-2014

Keep wireless users from hitting the Admin service policy

Hey guys, I have a rather dumb question. I have a customer with CPPM with a big list of radius service policies that I setup for admin access to various vendors, Aruba, Palo Alto, Cisco, Checkpoint. The service rules for the policies are very basic and only consist of the source device group that I setup for each one respectivly and then each one has its own specific list of enforcement policies.

 

Everything works great, however we are looking to migrate radius authentication for wireless users over to this CPPM and I can't figure out how to keep the regular user authentications from hitting the admin service policy. Seems like this should be pretty simple. I normally use the Aruba-Essid-Name equals to seperate out policies for different WLANs but I can't figure out how to seperate Admins.

 

Thanks,

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Keep wireless users from hitting the Admin service policy

Put your wireless RADIUS rules higher in the list as they will have more attributes like SSID. 

You could also consider using TACACS+ for management AAA as its a bit more robust. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 31
Registered: ‎07-24-2014

Re: Keep wireless users from hitting the Admin service policy

The SSID attribute actually shows up when an Admin tries to authenticate to a controller itself when they are on one of the Aruba wireless networks which I thought was kind of odd. I found this out when I tried putting in Radius:Aruba Aruba-Essid-Name Not Exist in the policy trying to keep it seperate. This works except when an admin is on the wireless network they can't admin a controller. 

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Keep wireless users from hitting the Admin service policy

Does your wireless service include the following?

 

Radius:IETF -- NAS-Port-Type -- EQUALS -- Wireless-802.11 (19)

 

OR

 

Try adding the following to your admin login service:

 

Radius:IETF -- Service Type -- EQUALS -- Administrative-User (6)

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 31
Registered: ‎07-24-2014

Re: Keep wireless users from hitting the Admin service policy

Thanks, I will give this a try tomorrow and let you know if it works as a way to seperate the policies. 

Contributor I
Posts: 31
Registered: ‎07-24-2014

Re: Keep wireless users from hitting the Admin service policy

Radius:IETF:Service-Type (6)  

 

 

 

Adding this to the admin service rule let me seperate admin users vs wireless users. Thank you very much! 

Search Airheads
Showing results for 
Search instead for 
Did you mean: