Security

Reply
Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Microsoft NPS custom attributes

Hi fellow Airheads,

 

Anyone know if it is possible for the NPS server to send back a custom attribute back to our Aruba Wireless controller?  We would like to use this attribute to help dictate which wireless role to put this particular device on.  We are looking to leverage the use of the Active Directory global group which the device is in and send the group name attribute back to the Aruba wireless controller.  From there the Aruba can use that attribute to determine wireless role.

 

Thanks in advance,

Bill

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Microsoft NPS custom attributes

Yes.  This is supported.  I would suggest using Filter IDs then in the AAA server group, you can do a server derived role using the following logic

IF Filter-ID EQUALS "Student" THEN set-role Student

 

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: Microsoft NPS custom attributes

You can use the filter-id attribute to return a tag then create a server
derived rule on the controller that maps the filter-id to a role.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Microsoft NPS custom attributes

The below is using MS IAS but should be somewhat similar with NPS I would hope. You would also need to go ahead and configure the appropriate policies.  TechNet at the Microsoft website should have a plethora of articles on this.

 

Method 1: Use a Vendor-Specific Attribute

 

  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. Click Remote Access Policies, right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
  3. Click Edit Profile, click the Advanced tab, and then click Add.
  4. In the list of available RADIUS attributes, click Aruba-User-Role click Add, and then click Add.
  5. In the Attribute value box, type Student

    Note This example shows a configuration that uses the Aruba role Student. Your configuration will vary.

Method 2: Use a Standard RADIUS Attribute Filter-ID

 

  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
  2. Click Remote Access Policies.
  3. Right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
  4. Click Edit Profile, click the Advanced tab, and then click Add.
  5. In the list of available RADIUS attributes, click Filter-ID, click Add, and then click Add.
  6. In the Enter the attribute value in box, click String, and then type student
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: Microsoft NPS custom attributes

Thanks for the quick replies.  Since I don't have much exposure to the NPS side of things since our AD/Security group takes care of it.  Can someone give me a quick run through or point me to an article on how to set this up from the NPS side...if there is any setup.

 

Thanks.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Microsoft NPS custom attributes

The above was that config help with MS.  I will let others chime in if they know.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: Microsoft NPS custom attributes

Thanks Seth for the walk through.

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Microsoft NPS custom attributes

[ Edited ]

To elaborate on Seth's response.   You can use any of the Aruba Standard VSAs (listed below).  The process is the same, just the assigned attribute number would differ, depending on what your goal is.  Don't forget to setup a corresponding rule on the Server Group side.  The following is a modified example from earlier post.

 

Policy Name - Wireless-IT-Role-Assignment

Type of Network Access Server - Unspecified

Conditions - add whatever you typically add; but make sure you have Windows Group matches IT

Acesss Granted

EAP Type - add whatever authentication types you use

Constraints - NONE

RADIUS Attributes

  • Click Vendor Specific; click Add
  • Choose Vendor Specific from the Vendor choice; click Add
  • Click to add attribute information
  • Select Vendor Code = 14823 and Yes it conforms, click Configure Attributes
  • Choose 1 as your assigned attribute number (for Aruba-User-Role in the below table)
  • Attribute format = string
  • Attribute value = authenticated (role name)
  • Click OK to close out

 

On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the role.   This will set the roleto whatever value is sent by NPS for Aruba-User-Role (or to NPS, Vendor 14823, attribvute 1). 

set role condition "Aruba-User-Role" value-of position 1

 

  

Here are some of the supported VSAs; there are probably more by now.

VENDOR      Code   14823  
AttributeAttribute NumberFormat
Aruba-User-Role1string
Aruba-User-Vlan2integer
Aruba-Priv-Admin-User3integer
Aruba-Admin-Role4string
Aruba-Essid-Name5string
Aruba-Location-Id6string
Aruba-Port-Id7string
Aruba-Template-User8string
Aruba-Named-User-Vlan9string
Aruba-AP-Group10string
Aruba-Framed-IPv6-Address11string
Aruba-Device-Type12string
Aruba-AP-Name13string
Aruba-No-DHCP-Fingerprint14integer
Aruba-Mdps-Device-Udid15string
Aruba-Mdps-Device-Imei16string
Aruba-Mdps-Device-Iccid17string
Aruba-Mdps-Max-Devices18integer
Aruba-Mdps-Device-Name19string
Aruba-Mdps-Device-Product20string
Aruba-Mdps-Device-Version21string
Aruba-Mdps-Device-Serial22string
Aruba-CPPM-Role23string
Aruba-AirGroup-User-Name24string
Aruba-AirGroup-Shared-User25string
Aruba-AirGroup-Shared-Role26string
Aruba-AirGroup-Device-Type27integer
Aruba-Auth-Survivability28string
Aruba-AS-User-Name29string
Aruba-AS-Credential-Hash30string 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 57
Registered: ‎04-01-2010

Re: Microsoft NPS custom attributes

Do these attributes need to be added one by one as needed?  Is there a way to import them into the NPS?

 

Thanks.

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Microsoft NPS custom attributes

Microsoft does not allow them to be imported, and they can only be used for return attributes; not for setting conditions in your policies.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: