Network Management

So, I have been fighting with this for about a week now.  The problem; I am unable to get NPS authentication to work for both Airwave and the Aruba controller.  I can get one or the other to work, but not both at the same time.

We have been using a filter ID for management user login on the Aruba controller.  When Administrator is returned from NPS, users get root access and when employee is returned, users get guest provisioning access.  That works great.

Now, I can get management user authentication to work with Airwave when I have configured the NPS in Airwave, client on the NPS, PAP and Vendor Specific 14823 #4 String Admin.  However, this breaks the management access in Aruba.

So, the question, has anybody gotten both to work at the same time and, if so, how did you do it?  I have tried creating seperate network policies on the NPS with no success.

Hi Jeremy,

For controllers the Admin access have role 'root'. In Airwave the admin access role is 'Admin'. So for management users when you create users on NPS and have them fall in 'root' role will give you access to controller but not Airwave. Same if you create the users with 'Admin' role on NPS, the management users will not be able to access controller. The solution is to have same role on both the devices. On Airwave create a new role called 'root' from System > Roles and give that role Administrator access. Now in NPS set the role to be returned as 'root' from management users, now they will be able to log into controller and Airwave with role 'root' who has admin access to both the devices.

Thanks for your reply.

The way things are configured now, NPS doesn't provide anything to the Aruba controller except a filter-id.  Them I have a server rule in the management server group that I created that, depending upon the filter-id, the user will get a role on the controller.  In this case, if the filter-id is administrator, the user gets root.  If the filter-id is employee, the user gets guest-provisioning.  So, NPS isn't returninig a role, per se, just the filter-id.

Now, with Airwave, I understand that we have to use the vendor specific 14823 #4 String Admin (or whatever role) to get management access (with appropriate role).  If I understand what you are saying, there must be a way to use that same vendor specific attribute in the Aruba controller for managment access.

Am I way off base?

You add that Vendor-Specific attribute (root for example) to the same remote access policy that you use for the Aruba Controller.  It will send the filter-id attribute, as well as the vendor-specific (root) attribute for Airwave, so that you can re-use it for both.

looks like it is working now.  Thanks guys!

Guys,

i'm currently trying to get this to work and I'm having issues. I've got the multi-purpose access policy defined in IAS but when I authenticate on the AirWave with valid credentials it just returns the login screen again and there's nothing showing in the IAS event viewer to indicate an authentication request was ever sent. However if i use login credentials I know not to be valid the event viewer returns an failed authentication error message. Aruba admin login still works!

Any ideas

Please go to the link here:  http://support.arubanetworks.com/AirWaveKB/tabid/115/Default.aspx

Search for Management Authentication.

Broked link, please put a link in youtube how to do it NPS-Airwave auth :)

http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/56705/1/Management+Authentication+using+Windows+IAS+as+a+Radius+Server%20(1).pdf