Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎06-10-2015

Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

Hi, Using Virtual Controller on Instant, I have configured an SSID with 802.1x to authenticate computers against Active Directory. This is working fine.

The same Radius server, NPS on Server 2008R2, is configured to allow user authentication (needed for other reasons).

Now, if employees connect to my "managed computers" SSID from eg their iPhone, they are prompted to log in with AD credentials, and then allowed through.

I have looked at Access rules, and Roles, but the question is, can I limit authentication to Machine only on one SSID / VLAN, and User only on a different SSID / VLAN?

I would appreciate a point in the right direction. I could set up a seperate Radius server, but that doesn't feel very elegant!

Many Thanks

Adrian

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

Please see the article here:  http://community.arubanetworks.com/t5/Controller-less-WLANs/Can-we-do-machine-authentication-in-Aruba-Instant/ta-p/181242



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎06-10-2015

Re: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

Hi Colin, thanks for the reply. I am probably being thick, but I don't quite understand the two drop down options.

When you check "enforce Machine Authentication" you get the two drop downs. One Machine auth only, and one User auth only.

I don't want User Auth on this SSID, but I have to choose something for that...?

 

Thanks

Adrian

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

If you already have your Windows clients configured for "Machine" only authentication, in your radius server, you would only need to allow users from the "domain computers" AD group and you would be done.  To recap, configure your windows clients for machine only authentication.  Configure your radius server to only allow authentication from the domain computers AD group.  If you do those two things, you will not need the IAP options from the knowledgebase article.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎06-10-2015

Re: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

Hi Colin, yes I get that, but the Radius server is currently used to authenticate users and Machines. The big BUT is that I want Machines on one SSID with unrestricted network access, and Users on a different SSID with restricted access.

At present, though, Users can authenticate on the Machine SSID, and then have unrestricted network access.

Plan B will be to set up a different Radius server for each group, I just wondered if I could lock down an SSID to Only authenticate Machines, regardless of whether the Radius server is capable of authenticating Users...

Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

The way to do this is to have one ssid and to have different roles depending on user or machine auth.

The roles would have diffent levels or access and can even be different vlans.

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Occasional Contributor I
Posts: 6
Registered: ‎06-10-2015

Re: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

Thanks Michael and Colin, Its looking good now.

Adrian

Search Airheads
Showing results for 
Search instead for 
Did you mean: