Hi fellow Airheads,
Anyone know if it is possible for the NPS server to send back a custom attribute back to our Aruba Wireless controller? We would like to use this attribute to help dictate which wireless role to put this particular device on. We are looking to leverage the use of the Active Directory global group which the device is in and send the group name attribute back to the Aruba wireless controller. From there the Aruba can use that attribute to determine wireless role.
Thanks in advance,
Yes. This is supported. I would suggest using Filter IDs then in the AAA server group, you can do a server derived role using the following logic
IF Filter-ID EQUALS "Student" THEN set-role Student
@SethFiermonti wrote:Yes. This is supported. I would suggest using Filter IDs then in the AAA server group, you can do a server derived role using the following logicIF Filter-ID EQUALS "Student" THEN set-role Student
This is what we do and it works really well you just have to remember that in NPS everything is chained in order, so if you wanted to add different levels of control for your students; Lets say you have all students, but then you also want additional controls for byod students, all the user accounts are in AD and you have groups setup for "byod students" and those students are also in the "AllStudents" group.
You would have to order your policies in NPS like this:
"BYOD Students" => filterID = BYODstudents
"AllStudents" => filterID = AllStudents
You can create a nice dynamic ACL environment using just NPS and the aruba gear :)
The MUCH easier method is using ClearPass for AAA! :)
@SethFiermonti wrote:The MUCH easier method is using ClearPass for AAA! :)
Well it is a tad more expensive :) if it was included then I would be all over it. But this will allow some finer controls for your users.
Yup. Clearpass is on it's way. :smileyhappy: But for now we needed a solution for the time being. Thanks all for the replies.
The below is using MS IAS but should be somewhat similar with NPS I would hope. You would also need to go ahead and configure the appropriate policies. TechNet at the Microsoft website should have a plethora of articles on this.
Method 1: Use a Vendor-Specific Attribute
Method 2: Use a Standard RADIUS Attribute Filter-ID
Thanks for the quick replies. Since I don't have much exposure to the NPS side of things since our AD/Security group takes care of it. Can someone give me a quick run through or point me to an article on how to set this up from the NPS side...if there is any setup.
The above was that config help with MS. I will let others chime in if they know.
Thanks Seth for the walk through.
To elaborate on Seth's response. You can use any of the Aruba Standard VSAs (listed below). The process is the same, just the assigned attribute number would differ, depending on what your goal is. Don't forget to setup a corresponding rule on the Server Group side. The following is a modified example from earlier post.
Policy Name - Wireless-IT-Role-Assignment
Type of Network Access Server - Unspecified
Conditions - add whatever you typically add; but make sure you have Windows Group matches IT
EAP Type - add whatever authentication types you use
Constraints - NONE
On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the role. This will set the roleto whatever value is sent by NPS for Aruba-User-Role (or to NPS, Vendor 14823, attribvute 1).
set role condition "Aruba-User-Role" value-of position 1
Here are some of the supported VSAs; there are probably more by now.
Do these attributes need to be added one by one as needed? Is there a way to import them into the NPS?
Microsoft does not allow them to be imported, and they can only be used for return attributes; not for setting conditions in your policies.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.