Security

Reply
Occasional Contributor I

User Derivation Rules

Hi, 

 

I have created AD group: "Internet Users"  on MS server and now 1 member is under this group for test.

Also I have create a SSID on wireless controller: "Mobile Users"

 

I tried many times with rules under (Server Group) but I got no benefit, each time all members can access the SSID and using the Internet.

 

What I need is a rule that can permit for "Internet Users" MEMBERS ONLY to connect to SSID.

 

Thanks in advance.

Mohammed

Re: User Derivation Rules

Hello

Are you using EAP PEAP or EAP TLS?

 

For both you need a certificate installed on the server...

IF you got a Certificate authority a certificate with a machine template is enough...

 

After you got the certificate installed on your server

You need to create a connection request policy and a network policy rule.

1-On the network policy rule you need to configure the group that wil have access

2-Then you also need to select the certificate you using the one you installed on your server and select EAP PEAP

3-Then you need to put the filter ID to send the role name to the controller...

On the controller you need to create a role with the same name you put it on the NPS and under that role you configure all the firewall rules you want

 

On the server rules you need to create a server with this rule

On atribute put filter id, on operation put value of, on type put string, on action put set role

 

After that it should work correctly.

 

For a guide on how to configure it on the NPS

you can fallow this guide which Collin i think made for us which is really helpful

 

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

 

That will help you

 

If you got trouble please put some screenshots to see the config and we will try to help you

 

Cheers

Carlos

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor I

Re: User Derivation Rules

Hi Carlos,

 

Really appreciate your reply and sorry for late.

 

I did most of the steps those were mentioned, but I got this:

 

On Radius1 I have multiple policies; one of them is (Secure Wireless Connection) which is created later for this subject, also there is a policy called (KAMC_Wireless_Users)if this one set to:

Disabled: which is not acceptable; Secure Wireless Connection will work fine.

Enabled: Secure Wireless Connection will not work.

 

I'm attaching:

Policy snapshots > Radius 1

Master Snapshots > Master Controller

CLI commands and test > Master controller.

 

Note:

KAMC_Wireless_Users is going to be in production environment soon.

KAMC_Wireless_Users is permitted for users to use internet in certain hours. 

Guru Elite

Re: User Derivation Rules

GrandMarquisLS,

 

NPS cannot be extended to understand what user connects to what SSID.

 

Why don't you just have both sets of users just connect to the one SSID? Make sure you place the Network policy with the restriction on top so that it gets addressed first.  That way users will connect to the same SSID, but only the ones without the time restriction will connect all of the time?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: User Derivation Rules

Collin is right

Here in the solution that collin is telling you, you will use derived roles

To use it its simple

Under settings under network policy, you will add a new one... select filter id, for example.

on the controller you willl create a role fo example

IT role 

Sales role

 

On the filter id on the network policy you have to put the SAME name so the radius send the attribute to the  wireless controller, and apply the role with the same name....

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor I

Re: User Derivation Rules


cjoseph wrote:

GrandMarquisLS,

 

NPS cannot be extended to understand what user connects to what SSID.

 

Why don't you just have both sets of users just connect to the one SSID? Make sure you place the Network policy with the restriction on top so that it gets addressed first.  That way users will connect to the same SSID, but only the ones without the time restriction will connect all of the time?

 


This is nice except when you do want different SSIDs.  For instance, on our student SSID we do not allow clients to communicate with eachother (Deny inter user traffic), but our faculty network we do - unfortunatly we can only control this from the virtual AP level.  Thus we have two seperate SSIDs.

 

We created a server authentication group for each SSID (virtual AP), deny student access for the faculty SSID, and Faculty for the student SSID.

 

Guru Elite

Re: User Derivation Rules


danstl wrote:

cjoseph wrote:

GrandMarquisLS,

 

NPS cannot be extended to understand what user connects to what SSID.

 

Why don't you just have both sets of users just connect to the one SSID? Make sure you place the Network policy with the restriction on top so that it gets addressed first.  That way users will connect to the same SSID, but only the ones without the time restriction will connect all of the time?

 


This is nice except when you do want different SSIDs.  For instance, on our student SSID we do not allow clients to communicate with eachother (Deny inter user traffic), but our faculty network we do - unfortunatly we can only control this from the virtual AP level.  Thus we have two seperate SSIDs.

 

We created a server authentication group for each SSID (virtual AP), deny student access for the faculty SSID, and Faculty for the student SSID.

 


Danstl,

 

You also have the option, with a single WLAN to deny user to user traffic through roles:

 

Single SSID - 2 roles:

 

Student Role  deny traffic from user to network1, network2, network3

Teacher Role:  Allow all.

 

Network1, Network2, Network3 can be the subnets that Students are in, and they will not be allowed to talk to each other.  Teachers, on the other hand will be able to talk to anyone on the same SSID.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: User Derivation Rules

appreciate your input guys

 

But the services on both SSID are entirely different. So, we need to have two different user groups to connect two different SSID’s (not one SSID) . Time restriction based policy is not applicable here as users may have different shifts of duty(morning, evening etc.) this is the reason why we are looking for “AD Group” based policy.

 

So I think we need to look to another SSID if that possible.

 

Re: User Derivation Rules

On the NPS you can put when that policy works... i mean on the network policy you can put the first policy for example

 

IT

You select IT in the AD

In the same rule you select also time based... and you put there when that policy will work let say it will work from 8am to 5pm.

When a user wants to connect after 5pm the policy wont work so taht user wont be able to connect.

 

On the other rule you select  Sales

In the same rule you select also time based and you do the same...

 

I dont know if thats what you want? and you can still use one SSID.

 

IF not please explain more clearly what is the scenario.

 

I havent tried what i told you but i bealive it works correctly.   But i can do the lab i guess but im pretty sure it will work correctly just as i got many MANY network policies on my NPS and i got different combinations so they all work when they need to... i got all the switches authentication with the NPS, WC, VIA, Firewalls, etc etc. in one NPS.

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: User Derivation Rules


GrandMarquisLS95 wrote:

appreciate your input guys

 

But the services on both SSID are entirely different. So, we need to have two different user groups to connect two different SSID’s (not one SSID) . Time restriction based policy is not applicable here as users may have different shifts of duty(morning, evening etc.) this is the reason why we are looking for “AD Group” based policy.

 

So I think we need to look to another SSID if that possible.

 


GrandMarquisLS95,

 

Got it.

 

Okay.  Let's go back to basics:

 

What are the Application Requirements for both groups of people?  What do they need to access?  How do you want it restricted?  How many different types of users do you really have?  That will determine what solution is even technologically possible.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: