Wireless Access

Reply
Occasional Contributor II

Controlling which SSID users using RADIUS can connect to

Hi,

 

Just a question in general - If I use authentication with a RADIUS back-end and I publish an SSID called for example "Student".

 

Do I define in server group rules which user group/OU could be able to authenticate using RADIUS to that SSID?

 

In effect - If users are member of a group called "Students" or are placed in a OU named "Students" (whichever works is fine with me) they should be able to athenticate on that SSID, if not, the authentication should fail.

 

If this is possible, can you give me a brief example on how to go about this?

 

Regards,
Tommy

Aruba Employee

Re: Controlling which SSID users using RADIUS can connect to

Here's how I would do it.

 

1. Create a new radius server group.

2. Add in your radius server and add two server rules to that server group:

 

Class equals Student set role authenticated

Class not-equals Student set role no-access

 

3. Apply this server group to your SSID for Student-only access

4. Make sure that your RADIUS server is passing back the Class of Student for students in the Students OU or group.

 

If you need help with any of the above steps, please just ask.

Thanks,

Zach Jennings
Occasional Contributor I

Re: Controlling which SSID users using RADIUS can connect to

Assuming you are using Windows IAS.

Windows IAS > Remote Access Policies >Policy_Name > Properties > Policy Condition > Add | Windows-Groups>Group Name

 

 

Contributor I

Re: Controlling which SSID users using RADIUS can connect to

Hi

 

I have achived this in the past by utlising the nas id property of the radius server when defining the radius server

 

For example if you are authenticating staff and students using the same radius server. You could create two instances of the same radius server and just use a nas id of staff or students. Make sure that the student ssid uses the radius profile that uses the student nas id.

 

Add a check parameter to the radius authentication so that in order to authenticate a student the user must be a member of the students group and the nas id must match "student".

 

If a student comes though on the staff nas id then the authentication will be rejected.

 

That is just one way that I have found pretty easy to use in the past.

 

Thanks

 

 

Occasional Contributor I

Re: Controlling which SSID users using RADIUS can connect to

I need help doing the same thing with staff and students.  I am new to the aruba contoller and and getting a little lost when following your directions.  I have all my students in a security group called Students.  Is that what the Nas Id is?  No i need to set anything special on the radius server?

Occasional Contributor II

Re: Controlling which SSID users using RADIUS can connect to

I haven't done this with the use of a NAS ID but I don't think you need to for what you are looking to accomplish. On the Aruba side your Auth Server should look something like this:

 

aaa server-group "802.1x-ServerGroup"
 auth-server 192.168.1.30
 auth-server 192.168.1.31
 set role condition Class contains "students" set-value Student-Authenticated
 set role condition Class contains "teachers" set-value Teacher-Authenticated
!

 

On your IAS/NPS server you should have 2 access policies. 1 for students, 1 for teachers. 

-Student policy will have the windows security group for "students". It should also have the class attribute set to "students" as well.

-Teacher policy will have the windows security group for "teachers". It should also have the class attribute set to "teachers" as well.

 

Once that's done restart RADIUS services.

 

If this still isn't working look at your IAS/NPS logs.

 

New Contributor

Re: Controlling which SSID users using RADIUS can connect to

We just replaced an SC1 with an M3 at school.  I setup an NPS server to handle radius auth and a server group for that radius server.

 

I have roles setup for the following: staff/faculty, student, unregistered (we use a NAC device which intercepts the radius packet and if unregistered assigns that role), remediation (same with the NAC controlling this).

 

Upon successful authentication, we have rules setup which send staff, faculty, or student back to the controller in the Filter-ID Radius attribute.  The rules for the Server Group on the controller are based on what the Filter ID is passed back as, each group of users get put on the appropriate VLAN based on the result of the rule that their role matches up with.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: