Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

NPS Vlan Attribute

This thread has been viewed 18 times

  • 1.  NPS Vlan Attribute

    Posted Sep 11, 2013 07:47 AM

    Hi there,

     

    I have configured our Microsoft NPS server to send a return attribute to our Aruba controller in the form of a vlan id. The attribute I am sending with the vlan number is the Tunnel-Pvt-Group-ID.

     

    However, Aruba seems to not acknowledge the vlan and does not drop users into the correct vlan.

     

    Can anyone advise what I would need to configure on the Aruba controller to allow this to happen?

     

    I'm basically trying to get Aruba to assign vlans based on the return attribute (vlan-id)...the NPS server is determining what user belongs to what AD security group and then sends the appropriate return attribute.

     

    Thanks

    SW



  • 2.  RE: NPS Vlan Attribute

    EMPLOYEE
    Posted Sep 11, 2013 07:53 AM

    To see what radius attributes are coming back:

     

    config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

     

    show log security 50
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:76] Find Request: id=48, srv=192.168.1.32, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:82]  Current entry: srv=192.168.1.32, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:37] Del Request: id=48, srv=192.168.1.32, fd=78
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1029] Authentication Successful
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1031] RADIUS RESPONSE ATTRIBUTES:
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_ID: 0 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Rad-Length: 20 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_CODE: \005 
Sep 11 06:52:17 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RAD_AUTHENTICATOR: \366\262x\225\220K\202\356\025\031\003q\264(\252I 
Sep 11 06:52:17 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=radius-accounting, server=cppm-192.168.1.32, user=70:56:81:b2:cc:15 
Sep 11 06:52:17 :124004:  <DBUG> |authmgr|  Auth server 'cppm-192.168.1.32' response=0

     



  • 3.  RE: NPS Vlan Attribute

    EMPLOYEE
    Posted Sep 11, 2013 07:56 AM
    Use the Aruba VSA. See here

    http://community.arubanetworks.com/t5/Aruba-Instant/Setup-Dynamic-Vlans/m-p/91788#M2542


  • 4.  RE: NPS Vlan Attribute

    Posted Sep 11, 2013 07:58 AM

    Hi cjoseph,

     

    Thanks very much for the quick reply. I believe the attribute is being sent to Aruba but my issue is that I don't know what to configure on the Aruba end to mean that it takes the return attribute as a vlan tag. At the moment it doesn't seem to be tagging the user traffic with a vlan tag based on the return attribute, how can I solve that?

     

    Thanks

    SW

     

     



  • 5.  RE: NPS Vlan Attribute

    Posted Sep 11, 2013 08:07 AM
    In the server group that is in use, add a server derivation rule that says "Set the VLAN to the value returned in Tunnel-Private-Group-ID". To do this, click on Configuration > Authentication > Server Group, then select the appropriate server group. Under Server Rules, click New. Select Condition = Tunnel-Private-Group-ID, set the next field to value-of and change "set role" to "set vlan", then click add. Make sure you save the config to startup (the Save Configuration button on top). The VLAN should now change when a user is authenticated via NPS and the VLAN value is passed back as Tunnel-Private-Group-ID.


  • 6.  RE: NPS Vlan Attribute

    EMPLOYEE
    Posted Sep 11, 2013 09:05 AM

    The set vlan option is good but you can also assign a VLAN in the role.  I like this better...just more "clean" to me.