locked
NAP Group Based Authentication RRS feed

  • Question

  • I am trying to setup RADIUS across a few different network devices and am having a bit of an issue. I have 3 groups of devices that I am trying to limit access to, but am not 100% clear on the best methodology as my policies are not working the way I would expect them to.

    Environment: I have three groups of devices: HP network equipment, APC UPSs and VPN Users (using a Sonicwall). Each group of devices has a Windows group: Net Admins, UPS Admins and VPN Users.

    Goal: I would like to setup RADIUS to allow members of the Net Admins group to login to all HP network equipment, members of UPS Admins access to the APC equipment and members of the VPN users group to login to the Sonicwall.

    Current Config: I set a CRP to allow all requests during any time of day.

    I have 3 NAPs that were each looking for membership to a Windows group.

    I had initially tried to set the NAPs to look for both the Windows group and the RADIUS clients IP address.  My thought process was that with both the group and the IPs, I would be able to guarantee that granted access would be limited to a correct group/IP mapping.  What I am finding is that the IP filtering is not working at all.  My guess is that it is looking at the computer logging on IP address rather than the device that is trying to authenticate the user. 

    Any assistance would be very much appreciated, and thank you in advance for your time.


    -Drew
    Wednesday, January 4, 2012 4:42 PM

Answers

  • Hi Drew,

    You can always run netmon or wireshark, but you might benefit by just viewing events in Event Viewer on NPS. Use the view: Custom Views\Server Roles\Network Policy and Access Services.

    -Greg

    • Marked as answer by Drew Heath Friday, January 6, 2012 6:01 PM
    Wednesday, January 4, 2012 11:48 PM

All replies

  • Hi Drew,

    To clarify, when you are talking about NAPs I think you mean network policies. You are not actually using NAP, right? NAP is a platform that leverages NPS using "health policies" and you must pick an enforcement type (DHCP, 802.1X, IPsec, VPN). When you pick one of these enforcement types, client computers can have access restricted at the point of entry to the network. For example, VPN enforcement would apply IP filters to the VPN tunnel. DHCP enforcement would restrict clients using the routing table. All the NAP enforcement methods will only work if the NAP agent service is running on the client.

    What network access method are all of these groups are using? In other words, do VPN users also access the wired LAN directly some of the time? Are you using 802.1X on your LAN? Is wireless access enabled?

    -Greg

    Wednesday, January 4, 2012 6:44 PM
  • Greg-

     

    I am referring to Network Access Policies.  To date, we are not using any health policies or 802.1X authentication (though we would like to at a later date). 

    VPN access is all external.  Our Sonicwall is authenticating users using RADIUS to allow SSLVPN access.  All of the network devices that are attempting to use RADIUS are either on the same LAN or connected via hardware VPN.

    Thank you for your help!


    -Drew
    Wednesday, January 4, 2012 6:49 PM
  • Hi Drew,

    I see you are online right now (b/c of the quick response). Just so you aren't waiting I'll tell you I have to run to a few meetings. I'll reply again soon.

    -Greg

    Wednesday, January 4, 2012 7:01 PM
  • Hi Drew,

    The types of policies are connection request, network policy, and health policy. I think you are referring to network policy.

    How did you configure the network policy? See http://www.firewalls.com/videos/video/sonicwall-radius-authentication-with-windows-2008-part-1-or-2.html which has some steps for configuring sonicwall with NPS (the video there isn't free but the steps discuss the process).

    In the step for creating a network policy, in conditions, you need to enter the IP address of the RADIUS client which is called "Client IPv4 Address" (not Access Client IPv4 Address).

    -Greg

    Wednesday, January 4, 2012 9:28 PM
  • I believe my issues are coming down to the IP address not being seen correctly by the NPS.  I already have the Sonicwall using NPS for RADIUS, but the policy is only looking at the Windows group name.  As soon as I enter the X0 IP address as ClientIPv4Address all authentication is denied.  I believe I am running into the same issues with the other devices.

    Is there a way to actively watch the connection attempts?


    -Drew
    Wednesday, January 4, 2012 10:05 PM
  • Hi Drew,

    You can always run netmon or wireshark, but you might benefit by just viewing events in Event Viewer on NPS. Use the view: Custom Views\Server Roles\Network Policy and Access Services.

    -Greg

    • Marked as answer by Drew Heath Friday, January 6, 2012 6:01 PM
    Wednesday, January 4, 2012 11:48 PM
  • That helped a bit with the successful authentications, but none of the failures are showing.  Were do you change the audit policy for NPS?

    Strange enough as well NPS is working when filtering when looking at the RADIUS client friendly name but not the IP address.  In the event log for the success the IP is showing correctly though under the RADIUS client IP address.  Also, if I add more than 1 friendly name, the policy stops working.  Is there an easy way to write a policy that states something like "these 5 devices and this Windows group"? 


    -Drew

    • Edited by Drew Heath Thursday, January 5, 2012 3:44 PM
    Thursday, January 5, 2012 3:41 PM
  • Found Gregs post on how to change the audit policy:

     

    auditpol /get /subcategory:"Network Policy Server"


    If both success and failure events are enabled, the output should be:

    System audit policy

    Category/Subcategory Setting
    Logon/Logoff
    Network Policy Server Success and Failure

    2. If it shows ‘No auditing’, you can run this command to enable it:


    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable


    -Drew
    Friday, January 6, 2012 5:00 PM
  • I believe I have this figured out.  I ended up using a different policy per device and matched both the friendly name of the device and the AD group.  It would be nice to be able to use multiple friendly names in one policy, and I don't know why they would let you set it since it doesn't seem to work. 

    Thank you for the guidance Greg!


    -Drew
    Friday, January 6, 2012 6:00 PM
  • Hi Drew,

    Congrats on figuring it out =) I'm sure the problem you ran into with multiple names is an AND vs. OR issue. I haven't experimented with trying to match multiple friendly names, but I'm pretty sure that if you enter them one by one you are doing an AND which of course won't work because it won't match both NAME1 and NAME2 and NAME3, etc. To get the "OR" working I believe you must use pattern matching syntax (http://technet.microsoft.com/en-us/library/dd197583(WS.10).aspx) such as NAME1|NAME2|NAME3.

    -Greg

    Friday, January 6, 2012 6:36 PM