Security

Reply
Occasional Contributor I

NPS Vlan Attribute

Hi there,

 

I have configured our Microsoft NPS server to send a return attribute to our Aruba controller in the form of a vlan id. The attribute I am sending with the vlan number is the Tunnel-Pvt-Group-ID.

 

However, Aruba seems to not acknowledge the vlan and does not drop users into the correct vlan.

 

Can anyone advise what I would need to configure on the Aruba controller to allow this to happen?

 

I'm basically trying to get Aruba to assign vlans based on the return attribute (vlan-id)...the NPS server is determining what user belongs to what AD security group and then sends the appropriate return attribute.

 

Thanks

SW

Guru Elite

Re: NPS Vlan Attribute

To see what radius attributes are coming back:

 

config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

 

show log security 50
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:76] Find Request: id=48, srv=192.168.1.32, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:82]  Current entry: srv=192.168.1.32, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:37] Del Request: id=48, srv=192.168.1.32, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1029] Authentication Successful
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1031] RADIUS RESPONSE ATTRIBUTES:
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_ID: 0 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Rad-Length: 20 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_CODE: \005 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RAD_AUTHENTICATOR: \366\262x\225\220K\202\356\025\031\003q\264(\252I 
Sep 11 06:52:17 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=radius-accounting, server=cppm-192.168.1.32, user=70:56:81:b2:cc:15 
Sep 11 06:52:17 :124004:  <DBUG> |authmgr|  Auth server 'cppm-192.168.1.32' response=0

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: NPS Vlan Attribute

Use the Aruba VSA. See here

http://community.arubanetworks.com/t5/Aruba-Instant/Setup-Dynamic-Vlans/m-p/91788#M2542

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: NPS Vlan Attribute

Hi cjoseph,

 

Thanks very much for the quick reply. I believe the attribute is being sent to Aruba but my issue is that I don't know what to configure on the Aruba end to mean that it takes the return attribute as a vlan tag. At the moment it doesn't seem to be tagging the user traffic with a vlan tag based on the return attribute, how can I solve that?

 

Thanks

SW

 

 

Aruba Employee

Re: NPS Vlan Attribute

In the server group that is in use, add a server derivation rule that says "Set the VLAN to the value returned in Tunnel-Private-Group-ID". To do this, click on Configuration > Authentication > Server Group, then select the appropriate server group. Under Server Rules, click New. Select Condition = Tunnel-Private-Group-ID, set the next field to value-of and change "set role" to "set vlan", then click add. Make sure you save the config to startup (the Save Configuration button on top). The VLAN should now change when a user is authenticated via NPS and the VLAN value is passed back as Tunnel-Private-Group-ID.

Re: NPS Vlan Attribute

The set vlan option is good but you can also assign a VLAN in the role.  I like this better...just more "clean" to me.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: