Security

Hi fellow Airheads,

 

Anyone know if it is possible for the NPS server to send back a custom attribute back to our Aruba Wireless controller?  We would like to use this attribute to help dictate which wireless role to put this particular device on.  We are looking to leverage the use of the Active Directory global group which the device is in and send the group name attribute back to the Aruba wireless controller.  From there the Aruba can use that attribute to determine wireless role.

 

Thanks in advance,

Bill

Yes.  This is supported.  I would suggest using Filter IDs then in the AAA server group, you can do a server derived role using the following logic

IF Filter-ID EQUALS "Student" THEN set-role Student

 

 

---

@SethFiermonti wrote:

Yes.  This is supported.  I would suggest using Filter IDs then in the AAA server group, you can do a server derived role using the following logic

IF Filter-ID EQUALS "Student" THEN set-role Student

 

 

---

This is what we do and it works really well you just have to remember that in NPS everything is chained in order, so if you wanted to add different levels of control for your students; Lets say you have all students, but then you also want additional controls for byod students, all the user accounts are in AD and you have groups setup for "byod students" and those students are also in the "AllStudents" group.

 

You would have to order your policies in NPS like this:

"BYOD Students" => filterID = BYODstudents

"AllStudents" => filterID = AllStudents

 

You can create a nice dynamic ACL environment using just NPS and the aruba gear :)

 

-Dan

The MUCH easier method is using ClearPass for AAA!  :)

---

@SethFiermonti wrote:

The MUCH easier method is using ClearPass for AAA!  :)

---

Well it is a tad more expensive :)  if it was included then I would be all over it.  But this will allow some finer controls for your users.

Yup.  Clearpass is on it's way.  :smileyhappy:  But for now we needed a solution for the time being.  Thanks all for the replies.

You can use the filter-id attribute to return a tag then create a server
derived rule on the controller that maps the filter-id to a role.

The below is using MS IAS but should be somewhat similar with NPS I would hope. You would also need to go ahead and configure the appropriate policies.  TechNet at the Microsoft website should have a plethora of articles on this.

 

Method 1: Use a Vendor-Specific Attribute

 

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Click Remote Access Policies, right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
3. Click Edit Profile, click the Advanced tab, and then click Add.
4. In the list of available RADIUS attributes, click Aruba-User-Role click Add, and then click Add.
5. In the Attribute value box, type Student
   
   Note This example shows a configuration that uses the Aruba role Student. Your configuration will vary.
   
   

Method 2: Use a Standard RADIUS Attribute Filter-ID

 

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Authentication Service.
2. Click Remote Access Policies.
3. Right-click the policy that you want to configure a vendor-specific attribute for, and then click Properties.
4. Click Edit Profile, click the Advanced tab, and then click Add.
5. In the list of available RADIUS attributes, click Filter-ID, click Add, and then click Add.
6. In the Enter the attribute value in box, click String, and then type student. 

Thanks for the quick replies.  Since I don't have much exposure to the NPS side of things since our AD/Security group takes care of it.  Can someone give me a quick run through or point me to an article on how to set this up from the NPS side...if there is any setup.

 

Thanks.

The above was that config help with MS.  I will let others chime in if they know.

Thanks Seth for the walk through.

To elaborate on Seth's response.   You can use any of the Aruba Standard VSAs (listed below).  The process is the same, just the assigned attribute number would differ, depending on what your goal is.  Don't forget to setup a corresponding rule on the Server Group side.  The following is a modified example from earlier post.

 

Policy Name - Wireless-IT-Role-Assignment

Type of Network Access Server - Unspecified

Conditions - add whatever you typically add; but make sure you have Windows Group matches IT

Acesss Granted

EAP Type - add whatever authentication types you use

Constraints - NONE

RADIUS Attributes

• Click Vendor Specific; click Add
• Choose Vendor Specific from the Vendor choice; click Add
• Click to add attribute information
• Select Vendor Code = 14823 and Yes it conforms, click Configure Attributes
• Choose 1 as your assigned attribute number (for Aruba-User-Role in the below table)
• Attribute format = string
• Attribute value = authenticated (role name)
• Click OK to close out

 

On your Server Group that has the NPS servers defined, add a server derived rule that will look for this attribute from NPS and then apply the role.   This will set the roleto whatever value is sent by NPS for Aruba-User-Role (or to NPS, Vendor 14823, attribvute 1). 

set role condition "Aruba-User-Role" value-of position 1

 

  

Here are some of the supported VSAs; there are probably more by now.

VENDOR      Code   14823
Attribute	Attribute Number	Format
Aruba-User-Role	1	string
Aruba-User-Vlan	2	integer
Aruba-Priv-Admin-User	3	integer
Aruba-Admin-Role	4	string
Aruba-Essid-Name	5	string
Aruba-Location-Id	6	string
Aruba-Port-Id	7	string
Aruba-Template-User	8	string
Aruba-Named-User-Vlan	9	string
Aruba-AP-Group	10	string
Aruba-Framed-IPv6-Address	11	string
Aruba-Device-Type	12	string
Aruba-AP-Name	13	string
Aruba-No-DHCP-Fingerprint	14	integer
Aruba-Mdps-Device-Udid	15	string
Aruba-Mdps-Device-Imei	16	string
Aruba-Mdps-Device-Iccid	17	string
Aruba-Mdps-Max-Devices	18	integer
Aruba-Mdps-Device-Name	19	string
Aruba-Mdps-Device-Product	20	string
Aruba-Mdps-Device-Version	21	string
Aruba-Mdps-Device-Serial	22	string
Aruba-CPPM-Role	23	string
Aruba-AirGroup-User-Name	24	string
Aruba-AirGroup-Shared-User	25	string
Aruba-AirGroup-Shared-Role	26	string
Aruba-AirGroup-Device-Type	27	integer
Aruba-Auth-Survivability	28	string
Aruba-AS-User-Name	29	string
Aruba-AS-Credential-Hash	30	string

 

Do these attributes need to be added one by one as needed?  Is there a way to import them into the NPS?

 

Thanks.

Microsoft does not allow them to be imported, and they can only be used for return attributes; not for setting conditions in your policies.