Wireless Access

Reply
Contributor II

Aruba and Windows 2008 NPS

Hi everyone,

 

Thanks to some other posts I found here, I now have a working Aruba/NPS authentication setup for our school district.  However, one item is a bit of a mystery to me.  This is probably more of an NPS thing than an Aruba thing, so I apologize in advance for it being possibly off topic.  However, I thought that since there are a lot of people using NPS and Aruba out there, someone might know the answer. :)

 

Right now, I have 3 Network Policies defined in NPS:

 

The first is for Machine Authentication.  All of our workstations are joined to our AD domain.  The rule says that if the machine is a member of the machine group "Domain Computers", it is granted access.  The policy passes back the Class value "StaffAccess", which is the role that the Aruba controller places the machine into, which is granted unrestricted access to the network.

 

The second rule is for employees.  If the user is a member of the AD group that contains all employees, they are granted access and again, the policy passes back the Class value "StaffAccess".

 

The third rule is for students.  If the user is a member of the AD group that contains all students, they are granted access, but this time, the policy passes back the Class value "StudentAccess".

 

On my Aruba controller, in the server group, I have one Server Rule defined:

* Attribute:  Class

* Operation:  value-of

* Type:  String

* Action:  set role

 

The role that is applied to the user or computer, either "StaffAccess" or "StudentAccess", has certain firewall rules applied to it.  To be specific, "StaffAccess" has no rules, so it's wide open, and "StudentAccess" has rules that effectively only give access to the internet, not any internal resources.

 

That all works great!  Where I'm confused, though, is what happens if a user doesn't belong to any of the groups defined in my NPS rules.  We have a few "generic" accounts in AD that don't belong to either of those groups.  For example, our site techs each have a generic account (not their own personal account) that is assigned to the site.  They use that for logging into school workstations to perform administrative tasks that are normally locked down.  Since the workstations all do machine auth, this isn't a problem, but one of our techs once tried to use one of these accounts on her iPad, and found that she couldn't connect to an Apple TV.  When I looked on the local controller at her site, I saw that her account had been placed into the "StudentAccess" role.  But I'm trying to figure out how that happened! :)

 

Does NPS apply the last policy in your policy set to you even if you don't match the criteria?  Or is this something the Aruba controller did, and if so, how did it determine which role to place her in?

 

Thanks!

Guru Elite

Re: Aruba and Windows 2008 NPS

What is your 802.1x default role set to?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: Aruba and Windows 2008 NPS

There are 3 places that roles will come from in your scenario (iPad with Staff user, and non-matching condition).


They are as follows (all on the Aruba controller under AAA Profile in use for the VAP you have people connecting to):  

 

802.1x default role     --- used when both user/machine auth is done/succeeds, yet no matching string/attribute comes back from your NPS

 

default machine role  --- used when machine only auth is done/succeeds, yet no matching string/attribute comes back from your NPS

 

default user role   --- used when user only auth is done/succeeds, yet no matching string/attribute comes back from your NPS

 

So with your iPad example, machine auth does not succeed right,   thus you are in bucket #3 (user == good, machine == not)... aka default user role on the Aruba controller. 

 

I would recommend checking that... see attached diagram for the screens that these fields are on... In my example test-user is the role that an employee on an ipad would likely fall into.   Check your field...likely it says studentxxxx 

Let us know how you make out!

 

JF

 

Aruba

Re: Aruba and Windows 2008 NPS

To find out where the role was applied from, run the following command and look for the role derivation line to see if it came from the default AAA role or a VSA from RADIUS.

 

 show user  ip <ip of user>

 

You may consider adding another policy as a catch all policy for "other users" and return whatever role you want (or just let the default 802.1X role of the AAA profile apply).

 

But, you should also check your NPS logs to see what Network Policy allowed that generic account to pass.   If your conditions for the

other three are based on group memberships, it must have passed another policy.

 

Example:

show user ip 192.168.13.157

 

Name: , IP: 192.168.13.157, MAC: c8:bc:c8:85:10:9d, Role:authenticated, ACL:60/0, Age: 04:02:06
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
.........................................

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II

Re: Aruba and Windows 2008 NPS

Thanks for the responses, everyone!

 

JF: I looked at the 2 screen shots you sent.  Here's how my controller is configured:

 

802.1X Authentication Profile --> (My 802.1x auth profile name)

   Machine Authentication: Default Machine Role:  guest

   Machine Authentication: Default User Role:  guest

 

AAA Profile --> (My AAA profile name)

   802.1X Authentication Default Role:  authenticated

 

I don't know if "authenticated" is a built-in role or something that was created.  I inherited this setup and wasn't involved in its initial configuration.

 

clembo:  Using the command you gave me, I got the following:

 

   Role Derivation: Matched server rule

Is that trying to tell me that it matched a role from the "Class" value that was passed back by NPS?  If so, then I'm stumped, because the user I'm authenticating as is definitely not a member of any of the groups specified in the NPS policies.  NPS' logging doesn't tell me much, either, unless I'm looking in the wrong place.

Aruba

Re: Aruba and Windows 2008 NPS

Yes, from server rule would mean the attribute (class in this case) defined in the server group.   I would check the NPS logs again.  The log will show which Network Policy was used during the authentication.  This should help you determine which policy was hit; then you can troubleshoot why based on the conditions you have set.  It will be at the bottom of the event.

 

You can view the logs from under Server Manager --> Diagnostics --> Event Viewer --> Custom Views --> Server Roles --> Network Policy and Access Services.   You may have to search for your particular authentication.

 

nps-event-policy.png

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II

Re: Aruba and Windows 2008 NPS

I'm looking in the NPS logs now (Thanks for steering me in the right direction there!), but right now all it's showing me are when it denies access.  None of the successful authentications are showing up.  Am I missing something?

 

Thanks!

Aruba

Re: Aruba and Windows 2008 NPS

Welcome to the confusing world of Microsoft Radius Log files...   Our ClearPass AAA solution has much easier to read/digest logs, perhaps test-drive that one at some point. ;)

 

For the present time, you have NPS of course... within NPS, by default, successful events are logged.

 

"NPS records connection request failure events in the System and Security event logs by default.  Connection request failure events consist of requests that are rejected or discarded by NPS.

 

Other NPS authentication events are recorded in the Event Viewer system log on the basis of the settings that you specify in the NPS snap-in. Some events that might contain sensitive data are recorded in the Event Viewer security log."

 

Are you looking in the multiple locations indicated above (System, Security logs, and Event viewer)  and there are no events on successful logins ?

 

JF

Aruba

Re: Aruba and Windows 2008 NPS

If you are only seeing failures; run the following command:

 

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba

Re: Aruba and Windows 2008 NPS

The full write up here: 

 

http://support.microsoft.com/kb/951005

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: