Wireless Access

Hi everyone,

Thanks to some other posts I found here, I now have a working Aruba/NPS authentication setup for our school district.  However, one item is a bit of a mystery to me.  This is probably more of an NPS thing than an Aruba thing, so I apologize in advance for it being possibly off topic.  However, I thought that since there are a lot of people using NPS and Aruba out there, someone might know the answer. :)

Right now, I have 3 Network Policies defined in NPS:

The first is for Machine Authentication.  All of our workstations are joined to our AD domain.  The rule says that if the machine is a member of the machine group "Domain Computers", it is granted access.  The policy passes back the Class value "StaffAccess", which is the role that the Aruba controller places the machine into, which is granted unrestricted access to the network.

The second rule is for employees.  If the user is a member of the AD group that contains all employees, they are granted access and again, the policy passes back the Class value "StaffAccess".

The third rule is for students.  If the user is a member of the AD group that contains all students, they are granted access, but this time, the policy passes back the Class value "StudentAccess".

On my Aruba controller, in the server group, I have one Server Rule defined:

* Attribute:  Class

* Operation:  value-of

* Type:  String

* Action:  set role

The role that is applied to the user or computer, either "StaffAccess" or "StudentAccess", has certain firewall rules applied to it.  To be specific, "StaffAccess" has no rules, so it's wide open, and "StudentAccess" has rules that effectively only give access to the internet, not any internal resources.

That all works great!  Where I'm confused, though, is what happens if a user doesn't belong to any of the groups defined in my NPS rules.  We have a few "generic" accounts in AD that don't belong to either of those groups.  For example, our site techs each have a generic account (not their own personal account) that is assigned to the site.  They use that for logging into school workstations to perform administrative tasks that are normally locked down.  Since the workstations all do machine auth, this isn't a problem, but one of our techs once tried to use one of these accounts on her iPad, and found that she couldn't connect to an Apple TV.  When I looked on the local controller at her site, I saw that her account had been placed into the "StudentAccess" role.  But I'm trying to figure out how that happened! :)

Does NPS apply the last policy in your policy set to you even if you don't match the criteria?  Or is this something the Aruba controller did, and if so, how did it determine which role to place her in?

Thanks!

There are 3 places that roles will come from in your scenario (iPad with Staff user, and non-matching condition).

They are as follows (all on the Aruba controller under AAA Profile in use for the VAP you have people connecting to):  

802.1x default role     --- used when both user/machine auth is done/succeeds, yet no matching string/attribute comes back from your NPS

default machine role  --- used when machine only auth is done/succeeds, yet no matching string/attribute comes back from your NPS

default user role   --- used when user only auth is done/succeeds, yet no matching string/attribute comes back from your NPS

So with your iPad example, machine auth does not succeed right,   thus you are in bucket #3 (user == good, machine == not)... aka default user role on the Aruba controller. 

I would recommend checking that... see attached diagram for the screens that these fields are on... In my example test-user is the role that an employee on an ipad would likely fall into.   Check your field...likely it says studentxxxx 

Let us know how you make out!

JF

To find out where the role was applied from, run the following command and look for the role derivation line to see if it came from the default AAA role or a VSA from RADIUS.

 show user  ip <ip of user>

You may consider adding another policy as a catch all policy for "other users" and return whatever role you want (or just let the default 802.1X role of the AAA profile apply).

But, you should also check your NPS logs to see what Network Policy allowed that generic account to pass.   If your conditions for the

other three are based on group memberships, it must have passed another policy.

Example:

show user ip 192.168.13.157

Name: , IP: 192.168.13.157, MAC: c8:bc:c8:85:10:9d, Role:authenticated, ACL:60/0, Age: 04:02:06
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
.........................................

Thanks for the responses, everyone!

JF: I looked at the 2 screen shots you sent.  Here's how my controller is configured:

802.1X Authentication Profile --> (My 802.1x auth profile name)

   Machine Authentication: Default Machine Role:  guest

   Machine Authentication: Default User Role:  guest

AAA Profile --> (My AAA profile name)

   802.1X Authentication Default Role:  authenticated

I don't know if "authenticated" is a built-in role or something that was created.  I inherited this setup and wasn't involved in its initial configuration.

clembo:  Using the command you gave me, I got the following:

   Role Derivation: Matched server rule

Is that trying to tell me that it matched a role from the "Class" value that was passed back by NPS?  If so, then I'm stumped, because the user I'm authenticating as is definitely not a member of any of the groups specified in the NPS policies.  NPS' logging doesn't tell me much, either, unless I'm looking in the wrong place.

Yes, from server rule would mean the attribute (class in this case) defined in the server group.   I would check the NPS logs again.  The log will show which Network Policy was used during the authentication.  This should help you determine which policy was hit; then you can troubleshoot why based on the conditions you have set.  It will be at the bottom of the event.

You can view the logs from under Server Manager --> Diagnostics --> Event Viewer --> Custom Views --> Server Roles --> Network Policy and Access Services.   You may have to search for your particular authentication.

I'm looking in the NPS logs now (Thanks for steering me in the right direction there!), but right now all it's showing me are when it denies access.  None of the successful authentications are showing up.  Am I missing something?

Thanks!

Welcome to the confusing world of Microsoft Radius Log files...   Our ClearPass AAA solution has much easier to read/digest logs, perhaps test-drive that one at some point. ;)

For the present time, you have NPS of course... within NPS, by default, successful events are logged.

"NPS records connection request failure events in the System and Security event logs by default.  Connection request failure events consist of requests that are rejected or discarded by NPS.

Other NPS authentication events are recorded in the Event Viewer system log on the basis of the settings that you specify in the NPS snap-in. Some events that might contain sensitive data are recorded in the Event Viewer security log."

Are you looking in the multiple locations indicated above (System, Security logs, and Event viewer)  and there are no events on successful logins ?

JF

If you are only seeing failures; run the following command:

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

The full write up here: 

http://support.microsoft.com/kb/951005

Handy command also to verify your config  either before or after (or both)

C:Windowssystem32>auditpol /get /subcategory:"Network Policy Server" 

System audit policy 
Category/Subcategory                      Setting 
Logon/Logoff 
  Network Policy Server                   Success and Failure

Thanks JF and clembo!  My server was only auditing failures, so now I have it auditing successes as well.  Here's what I got when I authenticated using the generic LAN administrator account:

Authentication Details:
    Proxy Policy Name:        PUSD Secure Wireless
    Network Policy Name:        PUSD Secure Wireless - Students
    Authentication Provider:        Windows
    Authentication Server:        <server name here>
    Authentication Type:        PEAP
    EAP Type:            Microsoft: Secured password (EAP-MSCHAP v2)
    Account Session Identifier:        -

It apparently used the Students policy, which is odd, since the account I authenticated to is NOT a member of either group defined in the policy.  Still stumped...

Even more interesting now... I changed the order of the rules just to make sure it wasn't defaulting to the last rule in the list somehow.  I moved the Student rule above th Staff rule, so it was in position #2.  Restarted NPS to be safe.  Still getting the Students policy... weird!

OK, figured it out, and I feel kinda dumb. :)

There were 2 groups defined in the Students policy.  The user I was testing with was a member of another group, which is in turn a member of one of the groups in the policy.  That's why it was giving me student rights.

Basic troubleshooting 101, and I fail... heh...

Thanks for all of the help!  At least I know more about NPS now. :)