Security

Hello,

I have an 802.1X authentication situation that I’ve never encounter before and would like to run this past the group to see what my options are. The customer would like to have (2) separate SSID’s Staff and Student. Each of these SSID’s will use 802.1X authentication back to a Microsoft RADIUS Server. I’ve done a single SSID with 802.1X authentication before with role derivation using AD User Groups and returned Filter ID but in this particular case I need (2) SSID’s and each needs to use 802.1X authentication. The problem I’m struggling with is how can I prevent student 802.1X enabled devices from being able to connect to the staff 802.1X SSID? Is there some type of RADIUS attribute I can use that would prevent students in a “student” AD group from connecting to the Staff SSID? I’ve never had this type of request from a customer before and wondering if it’s possible.

Thanks,

John

Because you are using NPS you have limited options, but you do have one.   You'll need to setup two Radius server definitions and server groups.   They will both point to the same NPS server and use the same shared secret.  However, for each server definition, define a unique "NAS ID", for example Staff-SSID and Student-SSID.   Then setup your AAA profiles to use the respective server group.    Last, setup two NPS policies, one for Student authentication and one for Staff authentication and the appropriate returned attributes.   In the conditions, make sure you have the NAS Identifier in there to differentiate the requests as wel as AD group memberships.

For example:

aaa authentication-server radius "nps-staff"
  nas-identifier "Staff-SSID"

aaa authentication-server radius "nps-student"
  nas-identifier "Student-SSID"

(ClearPass could use the Aruba-ESSID-Name atribute).

You mention Clearpass but from the details of your reply I believe you are saying I can do this without the use of Clearpass, correct? Please clarify and thanks for the tip. I will test this out.

Thanks,

John

Yes, the procedure I outline is for NPS or even another RADIUS server that supports the NAS Identifier attribute from the controller.   If you had ClearPass Policy Manager, it could be handled with other attributes received from the controller, like the SSID name itself.

Thanks for clarifying.

I edited the post to hopefully be more clear to anyone reading this in the future.  I have set this type of access up before and it does work; let me know if you have any issues setting it up.

I'm working on setting this up now. I do have a question.

aaa authentication-server radius "nps-student"
  nas-identifier "Student-SSID"

Using your above example, does the nas-identifier "Student-SSID" reference the Aruba controller profile name of the student SSID or is this the actual name of the SSID that the student devices will connect to?

Thanks,

John

No, it does not have to be the SSID name; it can be anything you want so long as you match it on the NPS Network  Policy conditions.  I only put those names down to easily differentiate the two. 

OK that makes sense.

Does the attached NPS configuration look correct to you? The Filter-ID will tell the Aruba what role to assign this user and the NAS-Port-ID will in this case keep students from connecting to this staff SSID. Please let me know your thoughts.

Thanks.

No.....the NAS-Port-ID you put in under the Advanced/Attribute section is not in the right place.  You'll want to add NAS-Identifier to the conditions section, under the Settings page of the Network Policy (your screenshot has NAS-Port-Type matches Wireless....and Windows Group matches Fraser\Staff Wireless.  On this page, add NAS Identifier matches Staff-SSID (or whatever you put on the controller).

This will ensure that only Wireless requests which have the NAS-Identifer set as Staff-SSID from users in Staff Wireless group will be granted access; and then the filter-id attribute is returned to define the user role.

Ah, got it now! Please see the attached and confirm this looks correct.

Thanks for all the help. We'll test it out shortly and I'll let you know hoe it turned out.

That looks right. 

It works! Thanks again for all the excellent assistance. I really appreciate it AND I learned some cool new stuff!

Best regards,

John

You can define rules on CPPM based on AD  groups if students and staff are in different AD groups.