Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Microsoft NPS custom attributes

  • 1.  Microsoft NPS custom attributes

    Posted Sep 03, 2013 11:44 AM

    Hi fellow Airheads,

     

    Anyone know if it is possible for the NPS server to send back a custom attribute back to our Aruba Wireless controller?  We would like to use this attribute to help dictate which wireless role to put this particular device on.  We are looking to leverage the use of the Active Directory global group which the device is in and send the group name attribute back to the Aruba wireless controller.  From there the Aruba can use that attribute to determine wireless role.

     

    Thanks in advance,

    Bill



  • 2.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 11:46 AM

    Yes.  This is supported.  I would suggest using Filter IDs then in the AAA server group, you can do a server derived role using the following logic

    IF Filter-ID EQUALS "Student" THEN set-role Student

     

     



  • 3.  RE: Microsoft NPS custom attributes

    Posted Sep 06, 2013 09:36 AM

    @SethFiermonti wrote:

    Yes.  This is supported.  I would suggest using Filter IDs then in the AAA server group, you can do a server derived role using the following logic

    IF Filter-ID EQUALS "Student" THEN set-role Student

     

     



    This is what we do and it works really well you just have to remember that in NPS everything is chained in order, so if you wanted to add different levels of control for your students; Lets say you have all students, but then you also want additional controls for byod students, all the user accounts are in AD and you have groups setup for "byod students" and those students are also in the "AllStudents" group.

     

    You would have to order your policies in NPS like this:

    "BYOD Students" => filterID = BYODstudents

    "AllStudents" => filterID = AllStudents

     

    You can create a nice dynamic ACL environment using just NPS and the aruba gear :)

     

    -Dan



  • 4.  RE: Microsoft NPS custom attributes

    Posted Sep 06, 2013 09:41 AM

    The MUCH easier method is using ClearPass for AAA!  :)



  • 5.  RE: Microsoft NPS custom attributes

    Posted Sep 06, 2013 09:43 AM

    @SethFiermonti wrote:

    The MUCH easier method is using ClearPass for AAA!  :)


    Well it is a tad more expensive :)  if it was included then I would be all over it.  But this will allow some finer controls for your users.



  • 6.  RE: Microsoft NPS custom attributes

    Posted Sep 06, 2013 01:07 PM

    Yup.  Clearpass is on it's way.  :smileyhappy:  But for now we needed a solution for the time being.  Thanks all for the replies.



  • 7.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 11:48 AM
    You can use the filter-id attribute to return a tag then create a server
    derived rule on the controller that maps the filter-id to a role.


  • 8.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 11:55 AM

    The below is using MS IAS but should be somewhat similar with NPS I would hope. You would also need to go ahead and configure the appropriate policies.  TechNet at the Microsoft website should have a plethora of articles on this.

     

    Method 1: Use a Vendor-Specific Attribute

     

    1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
    2. Click Remote Access Policies, right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
    3. Click Edit Profile, click the Advanced tab, and then click Add.
    4. In the list of available RADIUS attributes, click Aruba-User-Role click Add, and then click Add.
    5. In the Attribute value box, type Student

      Note This example shows a configuration that uses the Aruba role Student. Your configuration will vary.

    Method 2: Use a Standard RADIUS Attribute Filter-ID

     

    1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
    2. Click Remote Access Policies.
    3. Right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
    4. Click Edit Profile, click the Advanced tab, and then click Add.
    5. In the list of available RADIUS attributes, click Filter-ID, click Add, and then click Add.
    6. In the Enter the attribute value in box, click String, and then type student


  • 9.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 11:58 AM

    Thanks for the quick replies.  Since I don't have much exposure to the NPS side of things since our AD/Security group takes care of it.  Can someone give me a quick run through or point me to an article on how to set this up from the NPS side...if there is any setup.

     

    Thanks.



  • 10.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 11:59 AM

    The above was that config help with MS.  I will let others chime in if they know.



  • 11.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 12:01 PM

    Thanks Seth for the walk through.



  • 12.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 01:31 PM

    To elaborate on Seth's response.   You can use any of the Aruba Standard VSAs (listed below).  The process is the same, just the assigned attribute number would differ, depending on what your goal is.  Don't forget to setup a corresponding rule on the Server Group side.  The following is a modified example from earlier post.

     

    Policy Name - Wireless-IT-Role-Assignment

    Type of Network Access Server - Unspecified

    Conditions - add whatever you typically add; but make sure you have Windows Group matches IT

    Acesss Granted

    EAP Type - add whatever authentication types you use

    Constraints - NONE

    RADIUS Attributes

    • Click Vendor Specific; click Add
    • Choose Vendor Specific from the Vendor choice; click Add
    • Click to add attribute information
    • Select Vendor Code = 14823 and Yes it conforms, click Configure Attributes
    • Choose 1 as your assigned attribute number (for Aruba-User-Role in the below table)
    • Attribute format = string
    • Attribute value = authenticated (role name)
    • Click OK to close out

     

    On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the role.   This will set the roleto whatever value is sent by NPS for Aruba-User-Role (or to NPS, Vendor 14823, attribvute 1). 

    set role condition "Aruba-User-Role" value-of position 1

     

      

    Here are some of the supported VSAs; there are probably more by now.

    VENDOR      Code   14823  
    AttributeAttribute NumberFormat
    Aruba-User-Role1string
    Aruba-User-Vlan2integer
    Aruba-Priv-Admin-User3integer
    Aruba-Admin-Role4string
    Aruba-Essid-Name5string
    Aruba-Location-Id6string
    Aruba-Port-Id7string
    Aruba-Template-User8string
    Aruba-Named-User-Vlan9string
    Aruba-AP-Group10string
    Aruba-Framed-IPv6-Address11string
    Aruba-Device-Type12string
    Aruba-AP-Name13string
    Aruba-No-DHCP-Fingerprint14integer
    Aruba-Mdps-Device-Udid15string
    Aruba-Mdps-Device-Imei16string
    Aruba-Mdps-Device-Iccid17string
    Aruba-Mdps-Max-Devices18integer
    Aruba-Mdps-Device-Name19string
    Aruba-Mdps-Device-Product20string
    Aruba-Mdps-Device-Version21string
    Aruba-Mdps-Device-Serial22string
    Aruba-CPPM-Role23string
    Aruba-AirGroup-User-Name24string
    Aruba-AirGroup-Shared-User25string
    Aruba-AirGroup-Shared-Role26string
    Aruba-AirGroup-Device-Type27integer
    Aruba-Auth-Survivability28string
    Aruba-AS-User-Name29string
    Aruba-AS-Credential-Hash30string 

     



  • 13.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 02:26 PM

    Do these attributes need to be added one by one as needed?  Is there a way to import them into the NPS?

     

    Thanks.



  • 14.  RE: Microsoft NPS custom attributes

    Posted Sep 03, 2013 02:28 PM

    Microsoft does not allow them to be imported, and they can only be used for return attributes; not for setting conditions in your policies.