Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Radius authentication

This thread has been viewed 2 times

  • 1.  Radius authentication

    Posted Apr 17, 2013 08:36 AM

    Hi,

     

    I have Aruba 620 controller. Firmware version 6.1.2

     

    Config requirement: -  Every user must pass through mac authentication. User "bob" is the member of radius group Test1. SSID New1 assign vlan 10. New1 ssid is bind with Test1 radius group. If "bob" is trying to access New1 ssid authentication window will ask credential. once its authenticated he will get vlan 10 access.

     

         But User "bob" is not member of Test2 radius group. user "bob" is trying to access SSID New2 which bind with Test2 radius group then authentication should not allowed to login him. expected error message:- "user name incorrect"

     

    I have configured: - mac authentication profile for SSID. Configured server rule for respective SSID+vlan+radius group using Filter-Id attribute.

     

    Result:- User "bob" is getting vlan 10 when he trying to access SSID New1.

     

                   But user "bob" trying to access SSID New2 he is able to get authenticate and get IP address 169.*.*.*

     

         How i can achieve my requirement.

     

    Regards,

     

    Nikhil



  • 2.  RE: Radius authentication

    EMPLOYEE
    Posted Apr 22, 2013 06:20 AM

    You need a radius server that can compare Group, SSID and mac authentication, otherwise you will not be able to make this work.

     

    Quite frankly layering AD groups with mac authentication is too complicated and requires too much administration.  You should use something like machine authentication to authenticate the devices that users come in on.



  • 3.  RE: Radius authentication

    Posted Apr 23, 2013 07:14 AM

    I have radius server. There are two groups in radius server named Test1 & Test2.

     

    I have created following rule which attribute is "Filter-Id"  for radius group 'Test1'  & operation is "not-equal" it means if  "bob" user is not "Test1" group then assign 175 vlan. vlan 175 has not assign ip address range.

     

    I have same configuration for "Test2" radius group.

     

     

    server rule

     

     

     

     

     

     

     

     

     

    My requirement is-  User "bob" is not member of Test2 radius group. user "bob" is trying to access SSID New2 which bind with Test2 radius group then authentication should not allowed to login him. expected error message:- "user name incorrect"

     

    kindly suggest me how can i achieve this.

     

    Regards,

     

    Nikhil Patil.



  • 4.  RE: Radius authentication

    EMPLOYEE
    Posted Apr 23, 2013 07:39 AM

    You cannot deny a user access from the server derivation rule screen.  You can only change the role or vlan.  If VLAN 175 does not exist, it will just put the user in the default virtual AP VLAN, not deny him so it will not accomplish what you want.

     

    Think about this differently:

     

    Have a single ssid and single server group.  Have the radius server return a different filter-id depending on what group the user is in AD.  Write two server derivation rules putting the user in the correct VLAN depending on the filter-id.  If the user does not match any rules on the radius server, it will just deny access.

     

     



  • 5.  RE: Radius authentication

    Posted Apr 29, 2013 12:35 AM

    Thank you for ur valuable suggestion...



  • 6.  RE: Radius authentication

    Posted May 02, 2013 08:15 AM

    you can use 2 different radius, for ssid1 use internal radius, for ssid2 use external radius.

    or you can use mac authentication on all ssid and negate te access on ssid to bob mac.