04-16-2012 03:32 AM
Just a question in general - If I use authentication with a RADIUS back-end and I publish an SSID called for example "Student".
Do I define in server group rules which user group/OU could be able to authenticate using RADIUS to that SSID?
In effect - If users are member of a group called "Students" or are placed in a OU named "Students" (whichever works is fine with me) they should be able to athenticate on that SSID, if not, the authentication should fail.
If this is possible, can you give me a brief example on how to go about this?
04-16-2012 05:26 AM
Here's how I would do it.
1. Create a new radius server group.
2. Add in your radius server and add two server rules to that server group:
Class equals Student set role authenticated
Class not-equals Student set role no-access
3. Apply this server group to your SSID for Student-only access
4. Make sure that your RADIUS server is passing back the Class of Student for students in the Students OU or group.
If you need help with any of the above steps, please just ask.
04-18-2012 11:09 PM
I have achived this in the past by utlising the nas id property of the radius server when defining the radius server
For example if you are authenticating staff and students using the same radius server. You could create two instances of the same radius server and just use a nas id of staff or students. Make sure that the student ssid uses the radius profile that uses the student nas id.
Add a check parameter to the radius authentication so that in order to authenticate a student the user must be a member of the students group and the nas id must match "student".
If a student comes though on the staff nas id then the authentication will be rejected.
That is just one way that I have found pretty easy to use in the past.
07-16-2012 06:26 AM
I need help doing the same thing with staff and students. I am new to the aruba contoller and and getting a little lost when following your directions. I have all my students in a security group called Students. Is that what the Nas Id is? No i need to set anything special on the radius server?
08-16-2012 02:19 PM
I haven't done this with the use of a NAS ID but I don't think you need to for what you are looking to accomplish. On the Aruba side your Auth Server should look something like this:
aaa server-group "802.1x-ServerGroup"
set role condition Class contains "students" set-value Student-Authenticated
set role condition Class contains "teachers" set-value Teacher-Authenticated
On your IAS/NPS server you should have 2 access policies. 1 for students, 1 for teachers.
-Student policy will have the windows security group for "students". It should also have the class attribute set to "students" as well.
-Teacher policy will have the windows security group for "teachers". It should also have the class attribute set to "teachers" as well.
Once that's done restart RADIUS services.
If this still isn't working look at your IAS/NPS logs.
08-20-2012 03:35 PM
We just replaced an SC1 with an M3 at school. I setup an NPS server to handle radius auth and a server group for that radius server.
I have roles setup for the following: staff/faculty, student, unregistered (we use a NAC device which intercepts the radius packet and if unregistered assigns that role), remediation (same with the NAC controlling this).
Upon successful authentication, we have rules setup which send staff, faculty, or student back to the controller in the Filter-ID Radius attribute. The rules for the Server Group on the controller are based on what the Filter ID is passed back as, each group of users get put on the appropriate VLAN based on the result of the rule that their role matches up with.