locked
NPS: Check for VSAs in RADIUS Access-Request packet RRS feed

  • Question

  • Hello,

    is it possible check for vendor specific attributes which are in the RADIUS Access-Request packet?

    For example, I want to define a network policy where in the condition the existence of a vsa will be checked (Aruba-Essid-Name, vendor 14823) and only if this exists network acces will be granted if configured constraints are met. I searched for this in conditions but only found the ability to return standard or vendor specific attributes (settings). I know this is possible in FreeRADIUS.

    Thank in advance,

    Tobias Hachmer

    Tuesday, May 15, 2012 12:53 PM

Answers

  • Nobody any further suggestions?

    Regards, Tobias Hachmer

    Using VSA as a _CONDITION_ (> Tiger Li) in a network policy is not supported by NPS (http://technet.microsoft.com/en-us/library/cc731220%28v=ws.10%29.aspx).

    As a workaround, duplicate your radius server on access point and add a NAS Identifier option in it. Use this new radius server with the network SSID you need to identify. On NPS, create a new network policy with condition matching the above NAS ID.

    • Marked as answer by Tobias Hachmer Monday, February 18, 2013 7:17 AM
    Friday, February 15, 2013 4:29 PM

All replies

  • Hi Tobias,

    Thanks for posting ehre.

    We can achieve that by configuring a custom VSA in NPS server, the detail procedures could be acquired form the links below:

    Configure a Custom VSA

    http://technet.microsoft.com/en-us/library/cc731611(WS.10).aspx

    Custom VSA Example

    http://technet.microsoft.com/en-us/library/cc725979(WS.10).aspx

    Vendor-Specific Attributes in NPS

    http://technet.microsoft.com/en-us/library/cc754417(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Wednesday, May 16, 2012 8:43 AM
  • Hi Tiger Li,

    thanks for the reply. I know how to configure vendor specific attributes. But I thought these are only attributes which I can return in an Access-Accept packet?!

    Where can I configure that for example the VSA Aruba-Essid-Name has to exist in an Access-Request packet with value "secure-wlan" ?If this attribute doesn't exist with that string the policy doesn't match, just like the other settings under Conditions in a policy.

    I don't want to return VSA, I want to check if a VSA exists in an access-request packet. So just use it as a condition. In FreeRADIUS this is no problem, there you can do checks on every attribute in acces-request packet.

    Regards,

    Tobias Hachmer

    Wednesday, May 16, 2012 2:12 PM
  • Hi Tobias,

    Thanks for posting here.

    Yes, by selecting “Configure VSA (non-RFC Compliant)” we can specify the Hexadecimal string of this Aruba attribute and its value with inputting Vendor Code (14823):

     

    If we don’t know that please refer to Aurba’s documentations or consult with their support service.
    This is similar like the sample in the link below:

    Sample VSA for a US Robotics NAS
    http://technet.microsoft.com/en-us/library/cc738383(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support


    Thursday, May 17, 2012 6:17 AM
  • Hello Tiger Li,

    thanks for your reply. I think you didn't understand what I want.

    Please take note that I actually know how to configure VSAs like edit network policy->Settings->Vendor Specific->Add->Vendor: Custom->select Vendor-Specific-> Click Add->Click Add->Enter Vendor Code, select yes it conforms->configure attribute->enter VSA Attribute number,format and value.

    But these setting are for RADIUS Attributes which are returned in an Access-Accept packet!!! I configured some with nonsense values and the connection was still granted access. I also sniffed the packets and saw those configured attributes in the Access-Accept packet. Thats not what I want!

    I want simply check if a vendor specific attribute is present in an access-request packet. If the value is the same I configured (where do I configure this), access should be granted, if there's a mismatch, access should be denied.

    Please tell me if this is possible and how it would configure those checks. I assume this would be configurable under conditions in an Network Policy, but I didn't find it.

    Regards,

    Tobias Hachmer


    Monday, May 21, 2012 9:18 AM
  • Hi Tobias

    Network policies in NPS are a collection of settings, constraints, and conditions that specify what the connection request must match in order for the policy to apply. When you configure a VSA, you are specifying that the connection request that is sent to NPS must contain that information. If the connection request does not match the policy, the policy is not applied, and NPS moves on to other network policies in the list.

    This means that if you have less restrictive policies (such as the default policies) in the list of policies that match the connection request, the connection might be allowed, even if that was not your intention.

    My suggestion is not to create policies with intentionally invalid parameters, as all that will occur is that NPS will not be able to match the policy with a connection request, then move on to the next policy.

    Please note that if a policy does not match a connection request, it does not mean that NPS automatically rejects the connection - it just moves on to process other policies.

    Thus if you want to create a policy that grants access, you must excplicityly configure it to do so. If the connection request matches the policy, and if both authentication and authorization are successful, then NPS grants access.

    The same is true if you want to deny access - you must configure a policy that explicitly denies access, and the connection request must match the policy.

    Thanks -


    James McIllece

    Monday, May 21, 2012 8:33 PM
  • Hello,

    yeah, I know how this works, I hope. So Connection Request policies are for the decision if the radius requests are processed locally or proxied to other radius servers, in a simple explanation. The Network policies are for the decision if access would be granted or denied and they will be processed in the configured order, also simple explanation.

    But that's all not about my problem.

    I just want to know how I can check for RADIUS Attributes, whatever Standard or vendor specific RADIUS Attributes, in the RADIUS Access-Request packet?! This is not about returning RADIUS Attributes in RADIUS Access-Accept packet! I know how I can return RADIUS Attributes in a Network Policy under settings. I want to know how to do checks on it. I know this is possible in FreeRADIUS server, so I just want to know if this is also possible with Microsoft NPS?

    Kind regards,

    Tobias Hachmer


    Tuesday, May 22, 2012 1:00 PM
  • Nobody any further suggestions?

    Regards, Tobias Hachmer

    Tuesday, June 12, 2012 8:45 AM
  • Nobody any further suggestions?

    Regards, Tobias Hachmer

    Using VSA as a _CONDITION_ (> Tiger Li) in a network policy is not supported by NPS (http://technet.microsoft.com/en-us/library/cc731220%28v=ws.10%29.aspx).

    As a workaround, duplicate your radius server on access point and add a NAS Identifier option in it. Use this new radius server with the network SSID you need to identify. On NPS, create a new network policy with condition matching the above NAS ID.

    • Marked as answer by Tobias Hachmer Monday, February 18, 2013 7:17 AM
    Friday, February 15, 2013 4:29 PM
  • Wow,

    I think this is the first time I get a distinct answer for a microsoft product related to a feature which isn't supported.

    Thanks for the answer! I worried that my question wasn't understand at all ...

    The workaround is not an opinion for me, because not all RADIUS Clients supports this and this needs a lot of configuration work for such a lot RADIUS Clients and is quite confusing the config at all.

    Regards,

    Tobias Hachmer


    Monday, February 18, 2013 7:22 AM
  • Wow,

    I think this is the first time I get a distinct answer for a microsoft product related to a feature which isn't supported.

    Thanks for the answer! I worried that my question wasn't understand at all ...

    The workaround is not an opinion for me, because not all RADIUS Clients supports this and this needs a lot of configuration work for such a lot RADIUS Clients and is quite confusing the config at all.

    Regards,

    Tobias Hachmer



    Interesting post and follows... Any news Tobias??  (i don´t have money to buy ClearPa$$ server) homero at unison dot mx
    Tuesday, November 10, 2015 6:23 PM