Security

Reply
Contributor I
Posts: 26
Registered: ‎09-17-2012

Redirect of clients to different MS domains via NPS

Hello!

 

Here comes something that I was tried to solve for a long period of time but without success.

 

Scenario:

  • Domain 1 - MS AD, 2xNPS.site-1 for authentication of wireless clients (802.1x), SSID=EDU, Building 1, VirtualAP-1
  • Domain 2 - MS AD, 2xNPS.site-2 for authentication of wireless clients (802.1x), SSID=EDU, Building 2, VirtualAP-2
  • Clients has a computer name like "name.domain1.com" and "name.domain2.com"
  • Aruba 7220 controller

 

Problem:

Wireless clients from "Domain 1" are in "Building 2" and can not authenticate to "Domain 1" becouse of different NPS servers and domain of course and vice versa. Observe that SSID has same name.

Both domains connects to same Aruba controller so, it must be possible, somehow, to redirect wireless clients to right domain and NPS.

 

We don't have ClearPass.

 

Please help if You have some idea on how to solve this.

Guru Elite
Posts: 20,008
Registered: ‎03-29-2007

Re: Redirect of clients to different MS domains via NPS

You should use a match group on the ArubaOS side:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/AAA_Servers/Server_Groups.htm#aaa_servers_3503549366_1049368

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 26
Registered: ‎09-17-2012

Re: Redirect of clients to different MS domains via NPS

Thanks for reply.

 

I think that is not exactly what I need to solve problem, maybe I am wrong so please tell me if I am.

 

Check the attached image - this is a problem.

 

 

Client redirect.jpg

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Redirect of clients to different MS domains via NPS

I agree with cjoseph that the match-group feature under the RADIUS server-group on the controller should resolve this.

Alternatively you would need to create a RADIUS proxy on NPS.domain1 for domain2 point at NPS.domain2.

The reverse would also be required i.e. RADIUS proxy on NPS.domain2 for domain1 pointing at NPS.domain1.

David
ACDX #98 | ACMP | ACCP
Contributor I
Posts: 26
Registered: ‎09-17-2012

Re: Redirect of clients to different MS domains via NPS

Hi!

 

Thanks for reply but... I don't understand this, sorry.

 

Please, this is easy for you guys but try to explain a little better.

 

When I look in the manual I can't find anywhere where I can point to the another radius server.


The only thing I can do is to create a rule in the server group for Domain 2: authstring -> contains> domain1.com

 

What should I do next? 

What do You mean by match-group?

 

To fix RADIUS proxy is not a option becouse we need to have a trust between domains and that's not relevant right now.

 

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Redirect of clients to different MS domains via NPS

You can use the AuthString option to match the domain.

So you would have both NPS servers in the server-group with NPS1 having an AuthString contains domain1.

Also you would have NPS2 with an AuthString contains domain2.

This should cause the controller to send requests to the appropriate NPS server for the domain.

David
ACDX #98 | ACMP | ACCP
Guru Elite
Posts: 20,008
Registered: ‎03-29-2007

Re: Redirect of clients to different MS domains via NPS


AirAO wrote:

Hi!

 

Thanks for reply but... I don't understand this, sorry.

 

Please, this is easy for you guys but try to explain a little better.

 

When I look in the manual I can't find anywhere where I can point to the another radius server.


The only thing I can do is to create a rule in the server group for Domain 2: authstring -> contains> domain1.com

 

What should I do next? 

What do You mean by match-group?

 

To fix RADIUS proxy is not a option becouse we need to have a trust between domains and that's not relevant right now.

 




AirAO,

 

Radius proxy has nothing to do with trusts between domains.  It is only a rule on one radius server pointing to another radius server for a particular domain:

 

http://technet.microsoft.com/en-us/library/cc772591.aspx

http://technet.microsoft.com/en-us/library/dd197525(v=ws.10).aspx

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 26
Registered: ‎09-17-2012

Re: Redirect of clients to different MS domains via NPS

Hi again!

 

It works now! Thanks for your explanations dg27 and cjoseph!

 

I missed to add line with filter-id in "Server rules" section för Domain 1. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: