locked
Filter VSA in NPS as condition RRS feed

  • Question

  • Sometimes you want to add a condition in NPS for check Vendor-Specific attribute.  For example, when authenticating connection requests from Ruckus ZD controller, it is very useful to be able to check value of Ruckus-Location attribute, but NPS allow you to add such condition in their MMC consoles.

    So, I make dump between WireShark and MS Radius, found VSA.

    \

    Then add condition to NPS via export/import xml radius config.

    <msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("Vendor-Specific=01000061DD0506LCHS")</msNPConstraint>                                                                                                                                                                                                 

    Make request in console to check "netsh nps sh np"

    But it does not work.

    I tried to add terms ".*" to check validation NPS. It works.

    <msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("Vendor-Specific=.*")</msNPConstraint>

    |

    |

    |

    |

    How to set the condition for the NPS to check the VSA?






    Thursday, November 1, 2018 1:29 PM

All replies

  • Hello Andrey,

    Thank you for your question.

    I found a post related to this and his suggestion is to change the value of condition.

    You can refer to the following link for more information and see if it helps:

    https://social.technet.microsoft.com/Forums/en-US/a4ddab87-e253-47f6-be82-4ff678a37426/network-policy-using-radius-vendorspecific-attribute-as-a-condition?forum=winserverNIS

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 2, 2018 7:40 AM
  • Yes, I also saw this post. It does not work.
    Friday, November 2, 2018 9:15 AM
  • Hello Andrey,

    Have you tried to configure a custom VSA via GUI?

    Configure a Custom VSA: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731611(v=ws.10) 

    By the way, the forum is a public area. For your privacy, it is recommended that you hide your IP address, host name, domain name and etc.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 5, 2018 9:17 AM
  • Hello Andrey,

    Looking at the Wireshark image, the value of the vendor specific attribute seems to be:

    0x00 0x00 0x61 0xDD 0x05 0x06 0x4C 0x43 0x48 0x53

    The first 4 bytes are the vendor ID (0x000061DD = 25053 = Ruckus Wireless, Inc.).
    According to Wireshark, the next two bytes are the Ruckus type (5) and value length (6 - includes type and length bytes).
    The final four bytes are an ASCII or UTF-8 encoding of the location ("LCHS").

    In your msNPConstraint, you have written the value as a combination of a hex encoded string ("01000061DD0506" - with an erroneous leading "01" rather than "00") and an ASCII/UTF-8 encoded string ("LCHS").

    I don't know what format is expected, but it is almost certainly not a combination of two formats.

    My suggestion would be to try the string "&#x00;&#x00;&#x61;&#xDD;&#x05;&#x06;LCHS" first with "000061DD05064C434853" as a possible second suggestion.

    Gary

    Monday, November 5, 2018 4:15 PM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 7, 2018 11:14 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 9, 2018 9:33 AM
  • Not right. Your link is an example of VSA SETTINGS. I need an example for VSA CONDITIONS. 
    Monday, November 12, 2018 11:21 AM
  • Hello Andrey,

    Please check the content of this post to see if it helps.

    The post: https://social.technet.microsoft.com/Forums/en-US/db076bfe-3e9c-46b4-ac0f-841fdc7eadb3/nps-check-for-vsas-in-radius-accessrequest-packet?forum=winserverNIS 

    Best Regards,

    Hank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 13, 2018 2:51 AM