Sometimes you want to add a condition in policy which checks value of a RADIUS attribute which is not available for including in conditions by default. For example, when authenticating connection requests from Cisco routers, it is very useful to be able
to check value of NAS-Port-Id attribute, but neither IAS nor NPS allow you to add such condition in their MMC consoles.
On IAS, there was a trick with manual editing dnary.mdb database in MS Access (described here:
http://www.tech-archive.net/Archive/Internet/microsoft.public.internet.radius/2005-02/0142.html). After setting field "IsAllowedInCondition" for desired attribute to True, IAS console allows you to add that attribute as condition, and shows this condition
when you view policy settings later.
With NPS, it is possible to add such non-standard conditions by manually editing exported XML file with NPS configuration and then importing it back, see here:
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/f96086ed-42ce-4c09-808b-38fa6aee722a. The drawback of this approach is the fact that such condition works (I've tested it), but is not visible in NPS console when you view policy settings.
It is visible only in netsh. In our environment, the same server may be reconfigured at times by different IT staff members from different countries, and I'm afraid it can lead to occasional deletion of required settings.
I've tried to recreate the trick from IAS on NPS, but without much success. NPS uses XML files instead of Jet Red, attribute list is now stored in dnary.xml. Attribute XML elements have sub-elements <IsAllowedInCondition> with values of 0 or 1. I've
tried setting it to 1 for NAS-Port-Id:
<Attribute>
<ID>87</ID>
<Name>NAS-Port-Id</Name>
<Syntax>OctetString</Syntax>
<MultiValued>0</MultiValued>
<Is-Security-Sensitive>0</Is-Security-Sensitive>
<IsAllowedInProfile>1</IsAllowedInProfile>
<IsAllowedInCondition>1</IsAllowedInCondition>
<IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
<IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
<LDAPName>msRADIUSNASPortId</LDAPName>
<IsTunnelAttribute>0</IsTunnelAttribute>
</Attribute>
Then rebooted server just to be sure. Now attribute NAS-Port-Id has appeared in list of attributes availbale for Network Policy conditions in netsh (it wasn't there before):
netsh nps show npconditionattributes | find "57"
NAS-Port-Id 0x57 Octet string
But NPS console still doesn't offer it for creating conditions, and, what is much worse, doesn't display already existing conditions with NAS-Port-Id in policies. So the question is, is it possible to modify console behaviour somehow?
Add extra RADIUS attribute to NPS Network Policy condition
