Occasional Contributor I

EAP-PEAP & EAP-TLS co-existing using same MS NPS server

Hi Guys,


Trying to work out the *best* way to achieve this if possible. Its been a long time between Aruba lunches so just getting back into the swing of things and thoughts are apprecated!


Setup - dual controllers, single corporate NPS server, single airwaves server. No clearpass.


SSID 1 - full access - Corporate devices auth'd via machine certs - EAP-TLS using corporate MS NPS server

SSID 2 - internet access only - BYOD devices auth'd via EAP-PEAP - using corporate the same MS NPS server.


We definitely do not want any misconfiguration on NPS policy that would allow users to get their xPhones & xPads onto SSID 1 via PEAP.


We ideally do not want corporate laptops on SSID 2 by default (although not sure if this is too much effort to try and block)


They have an existing "basic" setup for SSID 1 - about as complex the NPS policy gets is checking computer is member of a group (plus cert of course).


Is there an achievable way to get this happening without breaking too much of the existing setup?


Would it help simplicity to farm off the auth for SSID 2 to another radius box?






Guru Elite

Re: EAP-PEAP & EAP-TLS co-existing using same MS NPS server

The second radius box would be the best (and probably the only) way.


 There is little flexibility within NPS to enforce PEAP vs. EAP-TLS in a single NPS installation.  The NPS box also cannot tell which SSID the authentication came in on to contrict an EAP type to an SSID.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Re: EAP-PEAP & EAP-TLS co-existing using same MS NPS server

You could have different server-groups such that the radius-server profiles are identical except they send different NAS-Identifier.


You can then have different policies on the NPS that filter on those NAS-Identifiers, like this.




I thought on NPS you can also specify the auth method like this,




I've actually done what you describe using only a single ssid and dynamic server selection.  Basically, anything that is not a domain machine gets sent with a NAS-Identifier=mobile.  The NPS policy filters on that and returns an attribute of Filter-ID=mobile.  Server rule defined such that if Filter-ID=mobile then role=mobile.  That role is mapped to the guest vlan, and the users don't consume the mpls resources.



If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
Showing results for 
Search instead for 
Did you mean: