Security

Reply
MVP
Posts: 2,958
Registered: ‎10-25-2011

User Derivation rules

[ Edited ]

Has anyone used this?

Does anyone got a manual on how to use this?

What i want to achive is this:

i got like 5 different Active Directory groups

I wan tto assign a different role depending in which AD group your user is...

 

let say i got these group on AD

Engineering

Sales

IT

 

Just using one SSID

 

Assign Engineering group the role of Engineering ROLE i got in my Aruba controller

Assign Sales group the role of Sales ROLE i got in my Aruba controller

And so on.

 

Does anyone got a manual on how to do this?

Or could tell me how to do it?

 

Right now im using NPS of windows 2008R2 using radius with a certificate and EAP  

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: User Derivation rules

I am assming you are doing PEAP on your SSID, right?  If so, have your RADIUS server pass back an attribute that includes "Engineering", "Sales" or "IT" (based on group membership).  Then, setup your Server Derivation Rule (SDR) like this:

 

Attribute: Class (or whatever other RADIUS attribute you are passing back, but Class is a good one)

Operation: value-of

Type: string

Action: set role

 

What that means is that upon successful authenticaiton, the controller will take what ever the RADIUS server sends back in the Class attribute (or which ever attribute you selected) and use it as the role for that user.

 

If you have the Aruba dictionary loaded on your RADIUS server, you can pass back Aruba-User-Role and the controller will automatically use that value as the user role without having to create an SDR.

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: User Derivation rules

What i got configured is simple right now...

On the windows raidus Server i got nps role installed

http://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

 

That is what i got configured right now...

Instead of putting all the domain users i got a single group... which it works well if everyone that connect throught the wireless had the same role but this is not the case here... we would like to have like 5 different Active directory groups and for each Active directory group assigning a different role on the Wireless controller

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: User Derivation rules

You will need to configure several network policies in NPS.  Each will allow the same type of authentication (PEAP/MSChapV2, etc), but each one will have different group membership requirements.  If the user is in the "Sales" AD group, NPS will pass back "Sales" as the Class RADIUS attribute.  If the user is in "IT", NPS will pass back "IT" as the Class attribute (and so on...).

 

 

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: User Derivation rules

[ Edited ]

Olino Thanks for asnwering my tread!

I do understand that Olino

But its not workign for me theres something i got wrong somewhere...

This is what i got

On my NPS server i got on the filter ID=Ingenieria   Thats a ROLE i configured on my Wirereless controller

 

On my wireless controller i did what you said:

Attribute: Class (or whatever other RADIUS attribute you are passing back, but Class is a good one)

Operation: value-of

Type: string

Action: set role

 

I set this on Authentication -->AAA Profiles--->NPS-aaa_prof(This ithe profile im using on my SSID)---> Server Rules

And in there i configured that what you said

Is it correct this part?

 

On the NPS Server i got

On the network policy i double click on my network policy on settings tab on radious attributes standards i clikc ADD and added selected filter-id --->i click edit on the filter ID and then i put the value of Ingeniria (which is the ROLE i got on my Aruba controller)

 

 

 

Is htere anything i got wrong?

 

 

I can giv eyou screenshoots of my config if you need to see it....

Or outputs?

Because for what i see, it looks really simple but there must be something im missing...

Im still getting the default role...

Its assignming the default role to my user

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: User Derivation rules

You will have to use filter-id as the attribute in the controller OR return Class as the attribute from NPS.

 

Right now, NPS is returning the role name in filter-id, but the controller is configured to look for Class.

 

The return attribute from NPS and the attribute specified in the controller SDR have to match.

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: User Derivation rules

So on the controller should be like this?

Attribute: Filter-id

Operation: value-of

Type: string

Action: set role

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: User Derivation rules

Yes, that should work.

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: User Derivation rules

Olino Thank you very much

Its working perfectly!

Thank you all aruba expert that help us  :)

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: User Derivation rules

Glad to hear its working!

Search Airheads
Showing results for 
Search instead for 
Did you mean: