08-16-2015 07:59 AM
I have an Instant network setup and the client would like two different dot 1x networks to authenticate to the same NPS server. The two networks should provide authorization based upon group membership. One WLAN is for admins, it should filter based upon the domain admins group and be unrestricted. The other WLAN will be for other employees, it should filter upon the domain users group and have some restrictions applied. I have created both networks in the Instant cluster, applied application firewall rules and I have created two differenet network policies in NPS where I have set the conditions based upon the applicable windows groups. Authentication works fine, my problem is with authorization. With the way NPS works, any user can connect to either network, as if one network policy fails it will try the next. In the security logs I see user authentications hitting my different policies so that piece of the design is working as intended. I need, or rather, is there a way to, stop it and somehow let one WLAN use one and only one network policy in NPS so it fails and doesn't try subsequent policies (particularly applicable for the admin network)? I've done this with ClearPass for other clients without issue, but for this client they didn't want to spend the $$$ on CPPM (it's a 6 IAP-205 shop, pretty small) and decided on NPS instead. I'm just not sure if I can do this on Instant without a second NPS server. I will also at this point freely admit that my NPS knowledge is enough to get by, but I'm not an expert by any means. Thanks for the long read. Any help appreciated.
Solved! Go to Solution.
08-16-2015 08:02 AM
08-16-2015 08:13 AM - edited 08-16-2015 08:16 AM
Thank Tim. Shows you how much I know about NPS. I didn’t know that you could pass back vlan and roles from NPS to an Instant cluster. ClearPass, sure… but in NPS? I don’t know how to do that, but I can get my google-fu going.
08-16-2015 08:21 AM
08-16-2015 02:27 PM
I did some research and ended up using the standard RADIUS attribute of filter-id. This works perfectly. Is there an advantage or is one considered best practice over another (Aruva VSA vs standard RADIUS attributes)?
08-16-2015 02:33 PM