Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RADIUS Authentication with multiple groups

This thread has been viewed 6 times

  • 1.  RADIUS Authentication with multiple groups

    Posted Oct 12, 2012 05:34 AM

    Hi Peeps,

     

    I have a 3600 setup with RADIUS authentication on 2 of 4 SSIDs. (NPS)

     

    The two 802.1x wlans are for different groups of users, (each with a different content policy out on the www).

     

    RADIUS is currently configured just to check the user account and password exist in AD.

     

    Problem is that the PTB want to ensure that only members of group A can authenticate to wlan A and group B to wlan B.

     

    From my understanding of the way NPS processes the request I cant see how this can be done without a separate instance of RADIUS.

     

    Is this the case?


    #3600


  • 2.  RE: RADIUS Authentication with multiple groups

    EMPLOYEE
    Posted Oct 12, 2012 08:01 AM
    @Andyj wrote:

    Hi Peeps,

     

    I have a 3600 setup with RADIUS authentication on 2 of 4 SSIDs. (NPS)

     

    The two 802.1x wlans are for different groups of users, (each with a different content policy out on the www).

     

    RADIUS is currently configured just to check the user account and password exist in AD.

     

    Problem is that the PTB want to ensure that only members of group A can authenticate to wlan A and group B to wlan B.

     

    From my understanding of the way NPS processes the request I cant see how this can be done without a separate instance of RADIUS.

     

    Is this the case?

    The limitation lies with NPS.  Use the method in the post here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/How-do-I-configure-an-Aruba-controller-to-use-AD-groups-through/m-p/2501/highlight/true#M552 to put users in different roles (and define VLANs in those roles to make them have different VLANs).

     

    When testing, either use the "aaa user delete command" to remove the user from the user table, or use "disconnect" in the GUI, so that the user does not use a cached role when they reconnect.

     



  • 3.  RE: RADIUS Authentication with multiple groups

    Posted Oct 12, 2012 08:28 AM

    Hi,

     

    You will have to double check but I think you will have to create a NPS profile based on the calling station ID and use a wildcard for any AP MAC Address then ':each distinct SSID'. Each profile can then apply their own set of rules.

     

     



  • 4.  RE: RADIUS Authentication with multiple groups
    Best Answer

    Posted Oct 12, 2012 12:51 PM

    <taken from a previous post of mine>

     

    Because you are using NPS you have limited options, but you do have one.   You'll need to setup two Radius server definitions and server groups.   They will both point to the same NPS server and use the same shared secret.  However, for each server definition, define a unique "NAS ID", for example SSID-A and SSID-B.   Then setup your AAA profiles to use the respective server group.    Last, setup two NPS policies, one for SSID A authentication and one for SSID B authentication and the appropriate returned attributes.   In the conditions, make sure you have the NAS Identifier in there to differentiate the requests as well as AD group memberships.

     

    For example:

    aaa authentication-server radius "NPS-SSID-A"
      nas-identifier "SSID-A"

     

    aaa authentication-server radius "NPS-SSID-B"
      nas-identifier "SSID-B"

     

     

    Just an FYI:

    NPS doesn't support it, but ClearPass could use the Aruba-ESSID-Name atribute that is passed during the authentication attempt.