Security

Hi Guys,

Was hoping someoene could help me with Server rules...

To make things easier, we have 2 networks.

Corporate network - Radius Authentication - NPS  = VLAN 20 Users subnet 10.17.1.0/24

Mobile Network - Radius Authentication - NPS = VLAN 33 Users Subnet 172.16.33.0/24

The Mobile network cannot see the corporate network, it only has Internet access.

A new subnet was created for IT ADMIN, VLAN 70, subent 10.17.7.0/24

Since we run NAC on the switches, we have applied rules to NPS to accomodate this range. So ITADMIN whcih are in a specific network group get VLAN 70 IP addressing.

Server rule = Filter-Id Equals WLAN-VLAN70 Set VLAN 70 

 This is great, until an ITADMIN users connects to the Mobile network.  As i said, its a seperate network, enforced by a Firewall that assigns DHCP addresses of 172.16.33.0/24 to users. 

How can i keep my existing rule but make an exception for the Mobile network?

Can a User Rule over-ride a server rule?

Must I use Roles somehow?

If only the SSID could be returned to the controller....

Hope someone can point me in the right direction...

Thanks

Pawel,

Unfortunately, Server defined rules supersede user defined rules, so they should not be used together.

Your second issue is that NPS is not configurable enough to "see" and make decisions on the Aruba radius attribute for the SSID that a user is connected to.  Other radius servers like ClearPass can, but NPS is a basic radius server and cannot.

For your situation, you have to employ a workaround:

For the Mobile SSID, create a new radius server in the controller, exactly like the one before except it has the NAS-ID of "mobile":

Create a new server group and add that new server to it.  Duplicate the AAA profile that you were using for the other radius SSID and change the server group to the one you just created.  What should happen now is that any radius authentication that comes in from your second server should have a NAS-Identifier of "mobile" and NPS can make decisions based on that attribute:  On the NPS server create a new remote access policy identical to the one before it, except, it also checks for the NAS Identifier of Mobile and returns "mobile" for the filter-id.  Move that remote access policy above your first remote access policy on NPS so that it is checking for the mobile attribute.

On the controller in the new server group for the Mobile SSID, it should have a server defined rule that looks for the filter-id of mobile and puts the user in that role with the VLAN tied to it.

Thanks for the quick reply!

I made the changes on the controller and got the server guys to make their changes and hit a strange snag.

The server we are currently using 105 is authenticating our current users and passes the AAA test server check, whilst the same server with the NAS-ID fails it? Says server timeout, and I'm pretty sure the password is the same.

Is that even possible? if all is identical except the NAS-ID?

Could this be a server problem?

Thanks

Check the event viewer on the server to make sure...

Hi cjoseph,

Was a server problem :)

Thanks for the help, the work around is working 100%

Cheers

Pawel