Wireless Access

Reply
Occasional Contributor II
Posts: 14
Registered: ‎05-16-2011

RADIUS and Groups

I have an existing server group that includes my two Windows NPS boxes... they both have policies authorizing DOMAIN\Domain Users and DOMAIN\Domain Computers for 802.1X and all is groovy with connecting to those VAPS using an AAA profile that includes those.

 

NOW what I want to do, is use those same RADIUS servers to authorize management access based on a group membership. Seems like when I add that server group for management auth it  starts letting EVERY user in my domain in. How do I filter this?

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: RADIUS and Groups

You create a more specific rule that has Nas-Port-Type = VPN and Windows Groups=IT.  Move it to the top of your list.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎05-16-2011

Re: RADIUS and Groups

So I've got two "network policies" currently.

 

The first for "Secure wireless connections", which has conditions for NAS port type 802.1x wireless and membership in domain users or domain computers.

 

The second for "Junos devices" which only checks for group membership.

 

Now... if I set management authentication to use the server group for radius that I'm currently using my AAA profile, it appears to be allowing all users as if it's matching the first policy. I wouldn't think management access would match that rule if the user's not coming in over an 802.1X secured port or SSID.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: RADIUS and Groups

[ Edited ]

Make sure the rule with nas port type vpn is at the top.

 Make sure that the other rules have nas port type 802.11 wireless.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎05-16-2011

Re: RADIUS and Groups

So, I just tried that, and despite the user not being in the group, it lets them in as an admin. The only policy that would match that user is the one for wireless.

 

Is it because maybe under the wireless policy I've specificed NAS port type Wireless 802.11 OR Wireless - Other?

 

Tom

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: RADIUS and Groups

Yes. That is your problem.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎05-16-2011

Re: RADIUS and Groups

Apparently not, still not matching, and it still allows the second policy to authorize any user in my AD as an admin.

 

I have two policies:

 

1st - Conditions NAS Port Type VPN, Group Membership Domain Admins

2nd - Conditions NAS Port Type 802.11 - Wireless, Group Membership Domain Users or Domain Computers.

 

Perhaps I need a deny in here somewhere?

 

Tom

Occasional Contributor II
Posts: 14
Registered: ‎05-16-2011

Re: RADIUS and Groups

What DID work... 

 

1) Set a NAS ID on my existing RADIUS server profiles with nas ID "ArubaUser".

2) Created duplicates of the above, but with nas ID "ArubaAdmin" and a corresponding server group.

 

Edited my NPS policies to match on ArubaAdmin and ArubaUser NAS ID's respectively.

 

Working fine now.

 

Tom

Search Airheads
Showing results for 
Search instead for 
Did you mean: