Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Using Filter-Id from Microsoft NPS to set roles

This thread has been viewed 20 times

  • 1.  Using Filter-Id from Microsoft NPS to set roles

    Posted Oct 20, 2016 11:29 AM

    Hi:

    I'm trying to return the Filter-Id string from Microsoft NPS to set a user roles in Instant.

    Authentication is working fine, but the users keep getting the default role.

     

    I have a string value set to be returned in the 'Settings' tab of the NPS server.

    I'm using role based access control on the Instant AP. 'If Filter-Id equals <string> assing role <role>.

     

    Is there some magic knob I'm forgetting to click?

     

    Thank you!



  • 2.  RE: Using Filter-Id from Microsoft NPS to set roles

    EMPLOYEE
    Posted Oct 20, 2016 12:55 PM

     

    Try "contains" instead of "matches"



  • 3.  RE: Using Filter-Id from Microsoft NPS to set roles

    Posted Oct 20, 2016 06:40 PM

    Hi Colin:

    Thanks for the reply.

    Still not working after using 'contains'. I also tried returning the Aruba- User-Role VSA with vendor code 14823, with an appropriate rule setup in instant, but that didn't work either. 

     

    Is there any way to see the full packet that's being returned from the NPS server? I tried a 'debug pkt type radius' with a 'debug pkt dump.'

    That showed me that a packet is coming back from the radius server, but didn't show me all the details. Is there a way to see those?

     

    Thanks!



  • 4.  RE: Using Filter-Id from Microsoft NPS to set roles

    EMPLOYEE
    Posted Oct 20, 2016 06:43 PM
    Just a side note, have you considered using the Aruba-User-Role VSA instead of filter-id? You would eliminate all of these extra steps.


  • 5.  RE: Using Filter-Id from Microsoft NPS to set roles

    Posted Oct 20, 2016 07:11 PM

    Hi Tim:

    Yes, I've tried that too.

    I've also tried setting 'Filter-Id is the role' and 'Aruba-User-Role is the role' in the Instant GUI, but users keep getting the default role.



  • 6.  RE: Using Filter-Id from Microsoft NPS to set roles
    Best Answer

    EMPLOYEE
    Posted Oct 20, 2016 07:13 PM
    You don't need any rules on the IAP side when using the Aruba VSA.


  • 7.  RE: Using Filter-Id from Microsoft NPS to set roles

    Posted Oct 20, 2016 07:31 PM

    Oops... My apologies.

    A deep study of the Windows Server Event viewer showed that the wrong rule was being hit in the NPS server. I need to play with the 'Conditions' tab in NPS.

     

    But it's good to know that you can just return the Aruba-User-Role and no rule is needed in Instant.

    Thank you.



  • 8.  RE: Using Filter-Id from Microsoft NPS to set roles

    Posted Oct 20, 2016 08:14 PM

    So I realize that this is a Windows NPS issue, but has anyone seen this?

     

    On the Network Policy, when I remove the condition that the user in the incoming request has to be a member of a certain user group, the policy works.

    But when I specifiy the user group in the conditions, the policy is not hit.

     

    I've checked that the user is a member of the group.

    And the windows event log shows that the incoming request has the proper user name.

     

    Puzzling....

     



  • 9.  RE: Using Filter-Id from Microsoft NPS to set roles

    Posted Oct 20, 2016 08:21 PM

    I'll answer my own question.

    You have to select "Windows Groups" in the Conditions tab.

    Thank you.