Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RADIUS and Groups

This thread has been viewed 1 times

  • 1.  RADIUS and Groups

    Posted Jun 01, 2012 11:38 AM

    I have an existing server group that includes my two Windows NPS boxes... they both have policies authorizing DOMAIN\Domain Users and DOMAIN\Domain Computers for 802.1X and all is groovy with connecting to those VAPS using an AAA profile that includes those.

     

    NOW what I want to do, is use those same RADIUS servers to authorize management access based on a group membership. Seems like when I add that server group for management auth it  starts letting EVERY user in my domain in. How do I filter this?



  • 2.  RE: RADIUS and Groups

    EMPLOYEE
    Posted Jun 01, 2012 12:06 PM

    You create a more specific rule that has Nas-Port-Type = VPN and Windows Groups=IT.  Move it to the top of your list.

     



  • 3.  RE: RADIUS and Groups

    Posted Jun 28, 2012 03:45 PM

    So I've got two "network policies" currently.

     

    The first for "Secure wireless connections", which has conditions for NAS port type 802.1x wireless and membership in domain users or domain computers.

     

    The second for "Junos devices" which only checks for group membership.

     

    Now... if I set management authentication to use the server group for radius that I'm currently using my AAA profile, it appears to be allowing all users as if it's matching the first policy. I wouldn't think management access would match that rule if the user's not coming in over an 802.1X secured port or SSID.



  • 4.  RE: RADIUS and Groups

    EMPLOYEE
    Posted Jun 28, 2012 04:34 PM

    Make sure the rule with nas port type vpn is at the top.

     Make sure that the other rules have nas port type 802.11 wireless.

     



  • 5.  RE: RADIUS and Groups

    Posted Jun 28, 2012 04:42 PM

    So, I just tried that, and despite the user not being in the group, it lets them in as an admin. The only policy that would match that user is the one for wireless.

     

    Is it because maybe under the wireless policy I've specificed NAS port type Wireless 802.11 OR Wireless - Other?

     

    Tom



  • 6.  RE: RADIUS and Groups

    EMPLOYEE
    Posted Jun 28, 2012 04:48 PM
    Yes. That is your problem.


  • 7.  RE: RADIUS and Groups

    Posted Jul 02, 2012 10:34 AM

    Apparently not, still not matching, and it still allows the second policy to authorize any user in my AD as an admin.

     

    I have two policies:

     

    1st - Conditions NAS Port Type VPN, Group Membership Domain Admins

    2nd - Conditions NAS Port Type 802.11 - Wireless, Group Membership Domain Users or Domain Computers.

     

    Perhaps I need a deny in here somewhere?

     

    Tom



  • 8.  RE: RADIUS and Groups

    Posted Jul 02, 2012 11:12 AM

    What DID work... 

     

    1) Set a NAS ID on my existing RADIUS server profiles with nas ID "ArubaUser".

    2) Created duplicates of the above, but with nas ID "ArubaAdmin" and a corresponding server group.

     

    Edited my NPS policies to match on ArubaAdmin and ArubaUser NAS ID's respectively.

     

    Working fine now.

     

    Tom