Wireless Access

Reply
Occasional Contributor II

RADIUS Authentication with multiple groups

Hi Peeps,

 

I have a 3600 setup with RADIUS authentication on 2 of 4 SSIDs. (NPS)

 

The two 802.1x wlans are for different groups of users, (each with a different content policy out on the www).

 

RADIUS is currently configured just to check the user account and password exist in AD.

 

Problem is that the PTB want to ensure that only members of group A can authenticate to wlan A and group B to wlan B.

 

From my understanding of the way NPS processes the request I cant see how this can be done without a separate instance of RADIUS.

 

Is this the case?

Guru Elite

Re: RADIUS Authentication with multiple groups


Andyj wrote:

Hi Peeps,

 

I have a 3600 setup with RADIUS authentication on 2 of 4 SSIDs. (NPS)

 

The two 802.1x wlans are for different groups of users, (each with a different content policy out on the www).

 

RADIUS is currently configured just to check the user account and password exist in AD.

 

Problem is that the PTB want to ensure that only members of group A can authenticate to wlan A and group B to wlan B.

 

From my understanding of the way NPS processes the request I cant see how this can be done without a separate instance of RADIUS.

 

Is this the case?


The limitation lies with NPS.  Use the method in the post here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-do-I-configure-an-Aruba-controller-to-use-AD-groups-through/m-p/2501/highlight/true#M552 to put users in different roles (and define VLANs in those roles to make them have different VLANs).

 

When testing, either use the "aaa user delete command" to remove the user from the user table, or use "disconnect" in the GUI, so that the user does not use a cached role when they reconnect.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: RADIUS Authentication with multiple groups

Hi,

 

You will have to double check but I think you will have to create a NPS profile based on the calling station ID and use a wildcard for any AP MAC Address then ':each distinct SSID'. Each profile can then apply their own set of rules.

 

 

Paul Gallant. Eng.
CWNA, CWSP
Aruba

Re: RADIUS Authentication with multiple groups

<taken from a previous post of mine>

 

Because you are using NPS you have limited options, but you do have one.   You'll need to setup two Radius server definitions and server groups.   They will both point to the same NPS server and use the same shared secret.  However, for each server definition, define a unique "NAS ID", for example SSID-A and SSID-B.   Then setup your AAA profiles to use the respective server group.    Last, setup two NPS policies, one for SSID A authentication and one for SSID B authentication and the appropriate returned attributes.   In the conditions, make sure you have the NAS Identifier in there to differentiate the requests as well as AD group memberships.

 

For example:

aaa authentication-server radius "NPS-SSID-A"
  nas-identifier "SSID-A"

 

aaa authentication-server radius "NPS-SSID-B"
  nas-identifier "SSID-B"

 

 

Just an FYI:

NPS doesn't support it, but ClearPass could use the Aruba-ESSID-Name atribute that is passed during the authentication attempt.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: