Hi everyone,
Thanks to some other posts I found here, I now have a working Aruba/NPS authentication setup for our school district. However, one item is a bit of a mystery to me. This is probably more of an NPS thing than an Aruba thing, so I apologize in advance for it being possibly off topic. However, I thought that since there are a lot of people using NPS and Aruba out there, someone might know the answer. :)
Right now, I have 3 Network Policies defined in NPS:
The first is for Machine Authentication. All of our workstations are joined to our AD domain. The rule says that if the machine is a member of the machine group "Domain Computers", it is granted access. The policy passes back the Class value "StaffAccess", which is the role that the Aruba controller places the machine into, which is granted unrestricted access to the network.
The second rule is for employees. If the user is a member of the AD group that contains all employees, they are granted access and again, the policy passes back the Class value "StaffAccess".
The third rule is for students. If the user is a member of the AD group that contains all students, they are granted access, but this time, the policy passes back the Class value "StudentAccess".
On my Aruba controller, in the server group, I have one Server Rule defined:
* Attribute: Class
* Operation: value-of
* Type: String
* Action: set role
The role that is applied to the user or computer, either "StaffAccess" or "StudentAccess", has certain firewall rules applied to it. To be specific, "StaffAccess" has no rules, so it's wide open, and "StudentAccess" has rules that effectively only give access to the internet, not any internal resources.
That all works great! Where I'm confused, though, is what happens if a user doesn't belong to any of the groups defined in my NPS rules. We have a few "generic" accounts in AD that don't belong to either of those groups. For example, our site techs each have a generic account (not their own personal account) that is assigned to the site. They use that for logging into school workstations to perform administrative tasks that are normally locked down. Since the workstations all do machine auth, this isn't a problem, but one of our techs once tried to use one of these accounts on her iPad, and found that she couldn't connect to an Apple TV. When I looked on the local controller at her site, I saw that her account had been placed into the "StudentAccess" role. But I'm trying to figure out how that happened! :)
Does NPS apply the last policy in your policy set to you even if you don't match the criteria? Or is this something the Aruba controller did, and if so, how did it determine which role to place her in?
Thanks!