none
NPS Proxy - proxy Machine Auth requests? RRS feed

  • Question

  • We have separate wireless SSID pointing to NPS servers on separate domains.  They presently handle both user auth (BYOD) and machine auth (official win laptops) requests.  We would like to bring this into one SSID for wireless efficiency.

    In a test environment, I have added a NPS proxy - and I'm successful in forwarding the user authentication without issue.

    Connection Request Policy #1 condition    Condition = User Name    value = ^domain1\\    match "domain1\samaccountname"
    Connection Request Policy #2 condition    Condition = User Name    value = ^domain2\\    match "domain2\samaccountname"
     - or   value = ^domain1\\|@domain1\.org$   match  "domain1\samaccountname"   -or-  "samaccountname@domain1.org"

    I need a Policy #3 @ 4    to detect any machine auth request and forward to the appropriate domain NPS.

    Question: Can you proxy machine auth?
       - Microsoft Docs - Connection Request Policies  states  "The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in the policy.   - This might suggest you can?

      - however, there isn't a CRP condition for machine name, just user name, which might suggest you can't.

    It looks like the request passes the identity of "host/hostname.domain1.org" - I see this in the log entries.  I've tried to make a pattern match for the user name condition for this string without success.  Microsoft Docs "Using Pattern-Matching Syntax in NPS" is confusing, in ways contradictory, and examples I'm using have some syntax that don't appear to be in the document (like | ).

    Thursday, May 9, 2019 2:49 PM

All replies

  • Hi,

    I would suggest you use calling station ID condition.

    You can enter the list of MAC address and put a Pipe/Logical OR (|) and put the another MAC enclosed between ^ and $. 

    Please refer to the link below:

    https://blogs.technet.microsoft.com/teamdhcp/2008/06/15/nap-enforcement-exemption-for-printers-and-other-network-appliances/ 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 10, 2019 5:10 AM
    Moderator
  • Thanks Travis.

    In a way got this to work (matched and forwarded).  For some reason the article suggested ^ and $ formatting would not work, I had success with the full MAC address only.  However, using MAC addresses would be difficult given the hundreds of clients we have - the 256 character limit (though perhaps it's 256 per rule, and one could have multiple rules).

    Thanks for the info...

    Friday, May 10, 2019 1:30 PM
  • I would imagine I just need to get the matching correct.

    I can successfully match account name data (NPS log):

    <User-Name data_type="1">domain1\username</User-Name>  using  ^domain1\\

    Like wise, in the NPS log, machines have the following in account name:

    <User-Name data_type="1">host/pc035.domain1.org</User-Name>


    Friday, May 10, 2019 1:52 PM
  • Success, I'll detailed if anyone is interested, and might offer improvement.

    Using User Name condition:

    CRP Rule 1 -  ^domain1\\|@domain1\.org$     matches    "domain1\samusername"  or  samusers@domain1.org

    CRP Rule 2 - ^domain2\\|@domain2\.org$      matches    "domain2\samusername"  or  samusers@domain2.org

    CRP Rule 3 - .domain1.org$     matches   "host/pc123.domain1.org"     -windows machine identity

    CRP Rule 4 - .domain2.org$     matches   "host/pc123.domain2.org"     -windows machine identity

    I would love a matching rule that included a check of the "host/" portion to further deliniate a PC vs. a user, but the "." vs "@" will work

            

    Friday, May 10, 2019 3:27 PM
  • Hi,

    I am glad to hear that your issue was successfully resolved.

    In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 13, 2019 9:13 AM
    Moderator