Hello Airheads,
I've recently moved to using Windows NPS as opposed to a different third party RADIUS server and wanted to ask if there are any evident configurations issues from what I present below.
I ask because I've had inconsistent results in my monitoring of Airwave client statuses and authentication issues.
Maybe I'm just misunderstanding when and where the attributes get passed or overwritten.
My basic mentality for the schema was:
- Simplify Connection requests by Allowing all initial authentication attempts but filtering them at least by NAS port type (LAN/WLAN below)
- Filter down to Domain Devices at initial Network Policy Condition
- Assign User Role after MachineAuthentication so clients can idle at machine authentication when not in use but at the login screen.
Setup:
- (2x) VMM - Active/Passive
- (2x) MC - Active/Active
- (4x) Windows Server Domain Controller with NPS
NPS Configuration:
Connection Request Policies:
- LAN
- Condition - NAS Port Type Ethernet
- Returned RADIUS Attribute: Filter-ID 802.3
- MC Server Derivation of 802.3 Attribute: Assign Role: guest
- WLAN
- Condition - NAS Port Type Ethernet
- Returned RADIUS Attribute: Filter-ID 802.11
- MC Server Derivation of 802.11 Attribute: Assign Role: guest
*** Guest Role ACL: Allow DHCP, DNS, ICMP, HTTP/S
Network Policies:
- Machine Basic
- Condition: Domain Computers group membership
- Returned RADIUS Attribute: Filter-ID MachineAuth
- MC Server Derivation of MachineAuth attribute: Assign Role: ComputerAuth
*** ComputerAuth Role ACL: Allow DHCP, DNS, ICMP, HTTP/S, Domain Controller Communications
- User Basic:
- Condition: Domain User group I configured that contains all users I want to allow authentication with. I'll later prune this, but I was unsure if Aruba and NPS see eye to eye on nested groups.
- Returned RADIUS Attribute: Class Staff
- MC Server Derivation of Staff attribute: Assign Role: Staff
*** Staff Role ACL: Allow all IPV4, IPV6
Aruba AAA & 802.1X Configuration:
AAA:
Company SSID Profile:
Initial Role: guest
MAC Auth Default Role: ComputerAuth [ Not using MAC Auth ]
802.1X Auth Default Role: guest
802.1X:
Max Auth Failures: 0
Enforce Machine Auth (Yes)
Machine Auth Default Machine Role: Computer-Auth
Machine Auth: Default User Role: guest
Load Balance (Yes)
I'm seeing different devices fail, or get stuck in odd roles in Airwave.
My process for testing and adjusting has been to make a change on the NPS side; Clear all authentication issue entries in Airwave, then start the NPS Services again to watch the results.
Any suggestions or observations are greatly appreciated, thanks.