Wireless Access

 View Only

[ 802.1X // NPS Configuration ] Troubleshooting Role Results

This thread has been viewed 8 times
  • 1.  [ 802.1X // NPS Configuration ] Troubleshooting Role Results

    Posted Jun 19, 2020 08:46 PM

    Hello Airheads,

     

    I've recently moved to using Windows NPS as opposed to a different third party RADIUS server and wanted to ask if there are any evident configurations issues from what I present below. 

     

    I ask because I've had inconsistent results in my monitoring of Airwave client statuses and authentication issues.

     

    Maybe I'm just misunderstanding when and where the attributes get passed or overwritten.

     

    My basic mentality for the schema was:

     

    • Simplify Connection requests by Allowing all initial authentication attempts but filtering them at least by NAS port type (LAN/WLAN below)
    • Filter down to Domain Devices at initial Network Policy Condition
    • Assign User Role after MachineAuthentication so clients can idle at machine authentication when not in use but at the login screen.

     

    Setup:

     

    • (2x) VMM - Active/Passive
    • (2x) MC - Active/Active
    • (4x) Windows Server Domain Controller with NPS

     

    NPS Configuration:

     

    Connection Request Policies:

    • LAN
      • Condition - NAS Port Type Ethernet
        • Returned RADIUS Attribute: Filter-ID 802.3
          • MC Server Derivation of 802.3 Attribute: Assign Role: guest
    • WLAN
      • Condition - NAS Port Type Ethernet
        • Returned RADIUS Attribute: Filter-ID 802.11
          • MC Server Derivation of 802.11 Attribute: Assign Role: guest

    *** Guest Role ACL: Allow DHCP, DNS, ICMP, HTTP/S

     

    Network Policies:

    • Machine Basic
      • Condition: Domain Computers group membership
        • Returned RADIUS Attribute: Filter-ID MachineAuth
          • MC Server Derivation of MachineAuth attribute: Assign Role: ComputerAuth

    *** ComputerAuth Role ACL: Allow DHCP, DNS, ICMP, HTTP/S, Domain Controller Communications

    • User Basic:
      • Condition: Domain User group I configured that contains all users I want to allow authentication with. I'll later prune this, but I was unsure if Aruba and NPS see eye to eye on nested groups.
      • Returned RADIUS Attribute: Class Staff
        • MC Server Derivation of Staff attribute: Assign Role: Staff

    *** Staff Role ACL: Allow all IPV4, IPV6

     

    Aruba AAA & 802.1X Configuration:

     

    AAA:

     

    Company SSID Profile:

    Initial Role: guest

    MAC Auth Default Role: ComputerAuth [ Not using MAC Auth ]

    802.1X Auth Default Role: guest

     

    802.1X:

     

    Max Auth Failures: 0

    Enforce Machine Auth (Yes)

    Machine Auth Default Machine Role: Computer-Auth

    Machine Auth: Default User Role: guest

    Load Balance (Yes)

     

    I'm seeing different devices fail, or get stuck in odd roles in Airwave.

     

    My process for testing and adjusting has been to make a change on the NPS side; Clear all authentication issue entries in Airwave, then start the NPS Services again to watch the results.

     

    Any suggestions or observations are greatly appreciated, thanks.