Security

Hi, 

I have created AD group: "Internet Users"  on MS server and now 1 member is under this group for test.

Also I have create a SSID on wireless controller: "Mobile Users"

I tried many times with rules under (Server Group) but I got no benefit, each time all members can access the SSID and using the Internet.

What I need is a rule that can permit for "Internet Users" MEMBERS ONLY to connect to SSID.

Thanks in advance.

Mohammed

Hello

Are you using EAP PEAP or EAP TLS?

For both you need a certificate installed on the server...

IF you got a Certificate authority a certificate with a machine template is enough...

After you got the certificate installed on your server

You need to create a connection request policy and a network policy rule.

1-On the network policy rule you need to configure the group that wil have access

2-Then you also need to select the certificate you using the one you installed on your server and select EAP PEAP

3-Then you need to put the filter ID to send the role name to the controller...

On the controller you need to create a role with the same name you put it on the NPS and under that role you configure all the firewall rules you want

On the server rules you need to create a server with this rule

On atribute put filter id, on operation put value of, on type put string, on action put set role

After that it should work correctly.

For a guide on how to configure it on the NPS

you can fallow this guide which Collin i think made for us which is really helpful

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

That will help you

If you got trouble please put some screenshots to see the config and we will try to help you

Cheers

Carlos

Hi Carlos,

Really appreciate your reply and sorry for late.

I did most of the steps those were mentioned, but I got this:

On Radius1 I have multiple policies; one of them is (Secure Wireless Connection) which is created later for this subject, also there is a policy called (KAMC_Wireless_Users)if this one set to:

Disabled: which is not acceptable; Secure Wireless Connection will work fine.

Enabled: Secure Wireless Connection will not work.

I'm attaching:

Policy snapshots > Radius 1

Master Snapshots > Master Controller

CLI commands and test > Master controller.

Note:

KAMC_Wireless_Users is going to be in production environment soon.

KAMC_Wireless_Users is permitted for users to use internet in certain hours. 

Attachment(s)

Policy Snapshots.docx   2.38 MB 1 version

CLI.txt   898 B 1 version

Master Snapshots.docx   813 KB 1 version

GrandMarquisLS,

NPS cannot be extended to understand what user connects to what SSID.

Why don't you just have both sets of users just connect to the one SSID? Make sure you place the Network policy with the restriction on top so that it gets addressed first.  That way users will connect to the same SSID, but only the ones without the time restriction will connect all of the time?

Collin is right

Here in the solution that collin is telling you, you will use derived roles

To use it its simple

Under settings under network policy, you will add a new one... select filter id, for example.

on the controller you willl create a role fo example

IT role 

Sales role

On the filter id on the network policy you have to put the SAME name so the radius send the attribute to the  wireless controller, and apply the role with the same name....

appreciate your input guys

But the services on both SSID are entirely different. So, we need to have two different user groups to connect two different SSID’s (not one SSID) . Time restriction based policy is not applicable here as users may have different shifts of duty(morning, evening etc.) this is the reason why we are looking for “AD Group” based policy.

So I think we need to look to another SSID if that possible.

On the NPS you can put when that policy works... i mean on the network policy you can put the first policy for example

IT

You select IT in the AD

In the same rule you select also time based... and you put there when that policy will work let say it will work from 8am to 5pm.

When a user wants to connect after 5pm the policy wont work so taht user wont be able to connect.

On the other rule you select  Sales

In the same rule you select also time based and you do the same...

I dont know if thats what you want? and you can still use one SSID.

IF not please explain more clearly what is the scenario.

I havent tried what i told you but i bealive it works correctly.   But i can do the lab i guess but im pretty sure it will work correctly just as i got many MANY network policies on my NPS and i got different combinations so they all work when they need to... i got all the switches authentication with the NPS, WC, VIA, Firewalls, etc etc. in one NPS.

---

@GrandMarquisLS95 wrote:

appreciate your input guys

 

But the services on both SSID are entirely different. So, we need to have two different user groups to connect two different SSID’s (not one SSID) . Time restriction based policy is not applicable here as users may have different shifts of duty(morning, evening etc.) this is the reason why we are looking for “AD Group” based policy.

 

So I think we need to look to another SSID if that possible.

 

---

GrandMarquisLS95,

Got it.

Okay.  Let's go back to basics:

What are the Application Requirements for both groups of people?  What do they need to access?  How do you want it restricted?  How many different types of users do you really have?  That will determine what solution is even technologically possible.

Collin,

Below answers for your questions;

What are the Application Requirements for both groups of people?  

The Ex-SSID (in producation): KAMC_Users = (LAN access only), all IP Traffic. (Policy name on radius: KAMC_Wireless_Users)

The New-SSID (to be in producation): KAMC_Mobile_Devices = (Internet Access only, no access to LAN resources ), all Internet traffic like web & apps. (Policy name on radius: Secure Wireless Connection)

What do they need to access?  

Same as above

How do you want it restricted?  

By using active directory groups

i.e. ‘Internet users group’ will have access to Internet only (LAN resources are not available to them ‘except AD authentication’)

      ‘other kamc user groups’ will have access to  all LAN resources except Internet.

How many different types of users do you really have?  

2 types as mentioned above.

---------------

Guys, the problem is as I mentioned in my 2nd post; when I'm going:

to disable (Policy name on radius: KAMC_Wireless_Users) which is not accptable because it's in producation

then (Policy name on radius: Secure Wireless Connection) will work fine.

to enable (Policy name on radius: KAMC_Wireless_Users) which is as always as enabled

then  (Policy name on radius: Secure Wireless Connection) will not work.

-----------------------

Hi all,

Problem can be solved with new hardware requiements:

• A New RADIUS server with Device profiling (Devices Classification) capabilities such as Aruba ClearPass Policy Manager.
• Aruba Policy Enforcement Firewall to be activated on the controllers. Aruba firewall can apply different policies/VLANs based on users and device type together.

Thank you ALL....^_^

---

@cjoseph wrote:

GrandMarquisLS,

 

NPS cannot be extended to understand what user connects to what SSID.

 

Why don't you just have both sets of users just connect to the one SSID? Make sure you place the Network policy with the restriction on top so that it gets addressed first.  That way users will connect to the same SSID, but only the ones without the time restriction will connect all of the time?

 

---

This is nice except when you do want different SSIDs.  For instance, on our student SSID we do not allow clients to communicate with eachother (Deny inter user traffic), but our faculty network we do - unfortunatly we can only control this from the virtual AP level.  Thus we have two seperate SSIDs.

We created a server authentication group for each SSID (virtual AP), deny student access for the faculty SSID, and Faculty for the student SSID.

---

@danstl wrote:

---

@cjoseph wrote:

GrandMarquisLS,

 

NPS cannot be extended to understand what user connects to what SSID.

 

Why don't you just have both sets of users just connect to the one SSID? Make sure you place the Network policy with the restriction on top so that it gets addressed first.  That way users will connect to the same SSID, but only the ones without the time restriction will connect all of the time?

 

---

This is nice except when you do want different SSIDs.  For instance, on our student SSID we do not allow clients to communicate with eachother (Deny inter user traffic), but our faculty network we do - unfortunatly we can only control this from the virtual AP level.  Thus we have two seperate SSIDs.

 

We created a server authentication group for each SSID (virtual AP), deny student access for the faculty SSID, and Faculty for the student SSID.

 

---

Danstl,

You also have the option, with a single WLAN to deny user to user traffic through roles:

Single SSID - 2 roles:

Student Role  deny traffic from user to network1, network2, network3

Teacher Role:  Allow all.

Network1, Network2, Network3 can be the subnets that Students are in, and they will not be allowed to talk to each other.  Teachers, on the other hand will be able to talk to anyone on the same SSID.

---

@cjoseph wrote:

---

@danstl wrote:

---

@cjoseph wrote:

GrandMarquisLS,

 

NPS cannot be extended to understand what user connects to what SSID.

 

Why don't you just have both sets of users just connect to the one SSID? Make sure you place the Network policy with the restriction on top so that it gets addressed first.  That way users will connect to the same SSID, but only the ones without the time restriction will connect all of the time?

 

---

This is nice except when you do want different SSIDs.  For instance, on our student SSID we do not allow clients to communicate with eachother (Deny inter user traffic), but our faculty network we do - unfortunatly we can only control this from the virtual AP level.  Thus we have two seperate SSIDs.

 

We created a server authentication group for each SSID (virtual AP), deny student access for the faculty SSID, and Faculty for the student SSID.

 

---

Danstl,

 

You also have the option, with a single WLAN to deny user to user traffic through roles:

 

Single SSID - 2 roles:

 

Student Role  deny traffic from user to network1, network2, network3

Teacher Role:  Allow all.

 

Network1, Network2, Network3 can be the subnets that Students are in, and they will not be allowed to talk to each other.  Teachers, on the other hand will be able to talk to anyone on the same SSID.

 

---

Thanks for the input - I will have to test this out... though it is a bit more complicated as I would have to add some allow rules for each subnet as they need to be able to acces their "router" and or other subnet specific services...  But this does appear to satisfy our needs :), and I would like to have a single SSID.  I was concerned that adding a deny traffic for the users own network would make their machine unable to do anything....