Requirement:What is a NAS id?
It is primarily used to notify the source of RADIUS access request so that, the RADIUS server can choose Policy for that request.
The source IP address of the Access-Request packet MUST be used to select the shared secret (RADIUS Client).
The NAS-Identifier Attribute will have a field of string type, which will carry the actual NAS id. This id can be a FQDN of the NAS or any unique string to identify the NAS.
In Aruba box, NAS id can be configured in “Authentication-Server” along with RADIUS Client (Host) and Shared secret (Key).
Solution:
How to use NAS id:
Scenario 1 : Two SSID's (example SSID 1 & SSID 2), both uses same RADIUS server (Microsft IAS/NPS), we want user A (Admin) can connect (Authenticated ) only to SSID 1, and USER B (TAC) can connect (Authenticated ) only to SSID 2.
Aruba Controller can send multiple RADIUS attributes along with the RADIUS request such as,
- Aruba-Essid-Name
- Aruba-Location-Id
- Aruba-AP-Group
- Aruba-User-Vlan etc..
But, IAS/NPS cannot distinguish these attributes while evaluating the policy, it can determine only the NAS id hence we need to send unique NAS ids from the Controller.
The above scenario can be accomplished by defining two different “RADIUS-servers” profile pointing to the same RADIUS server with two different NAS ids.
Configuration:
SSID-1-Server,
SSID-2-Server,
- Now map These Servers to two different server-groups (Group-1 and Group-2)
- Map Group-1 to AAA-Profile-1, AAA-Profile-1 to VAP-1 where SSID-1 is mapped.
- Map Group-2 to AAA-Profile-2, AAA-Profile-2 to VAP-2 where SSID-2 is mapped.
- Create a Remote access policy in IAS/NPS which will be mapped to AD-Gorup and NAS-id as an additional parameter to match the policy. ( User group and NAS-id both should match)
VerificationAs per the scenario,
1. there are two SSIDs SSID1 and SSID2 are created and mapped to two different AAA profiles.
2. these AAA profiles are mapped to two different server groups pointing to the same server.
3. Two RADIUS servers are configured with NAS id as SSID-1 and SSID-2 and mapped to the same server group.
4. Two policies are configured in the IAS server with NAS id as one of the the condition along with the user group "Manager" for matching the policy and returns role "Manager1" and "Manager2" as attributes.
5. User "Jack" member of Manager group is used for testing, when jack connected to SSID1 , will be mapped to "Manager1" role and the same jack connected to SSID2, will be mapped to "Manager2" role
Setup is tested and the outputs are shown as under.
Policies matching with NAS ids
Mapping different policies to the same user, jack belongs to the same user group, "Manager" :
User jack is assigned to Manager1 role when connected to SSID1 :
User jack is assigned to Manager2 role when connected to SSID2 :