none
How check NAS-Port-Id or add custom conditions to NPS? RRS feed

  • Question

  • Hi!

    My radius client send attribute NAS-Port-Id to NPS like this: "NAS-Port-Id: unit=1;subslot=0;port=17;vlanid=1059"

    On value of this attribute I need allow or deny access.

    E.g., "if NAS-Port-Id contains 'vlanid=1004' then allow".

    With standart coditions it is impossible.

    How to check value of this attribute or add custom conditions to NPS?

    Thanks!

    Saturday, October 15, 2011 1:30 AM

Answers

  • Solved.

    Steps:

    1. Make new Connection Request Policy with 2 conditions (output of "netsh nps show config" command):

     

    Connection request policy configuration: 
    --------------------------------------------------------- 
    Name             = !!!DO NOT MODIFY!!! Ethernet & VLAN1004 & from 172.16.15.11 
    State            = Enabled 
    Processing order = 2 
    Policy source    = 0 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x3d        "^15$" 
    Condition1                              0x100c      "172.16.15.11" 
    
    


    2. Export configuration to XML via "netsh nps export filename=config.xml"

    3. Find out Connection Request Policy:

     

    <Ethernet___VLAN1004_from_ROUTER name="Ethernet &amp; VLAN1004 from ROUTER"><Properties><Opaque_Data xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></Opaque_Data><Policy_Enabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</Policy_Enabled><Policy_SourceTag xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">0</Policy_SourceTag><Template_Guid xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{00000000-0000-0000-0000-000000000000}</Template_Guid><msNPAction xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">Copy of Ethernet</msNPAction><msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("NAS-Port-Type=^15$")</msNPConstraint><msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("Client-IP-Address=172.16.15.11")</msNPConstraint><msNPSequence xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">2</msNPSequence></Properties></Ethernet___VLAN1004_from_ROUTER>

    4. Add inside (between "NAS-Port-Type=^15$" and "Client-IP-Address=172.16.15.11")

     

    <msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("NAS-Port-Id=vlanid=1004")</msNPConstraint>

     

    5. Import config back to NPS via "netsh nps import filename=config.xml"

    Check for our 3rd condition (output of "netsh nps show config" command):

    Connection request policy configuration: 
    --------------------------------------------------------- 
    Name             = !!!DO NOT MODIFY!!! Ethernet & VLAN1004 & from 172.16.15.11 
    State            = Enabled 
    Processing order = 2 
    Policy source    = 0 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x3d        "^15$" 
    Condition1                              0x57        "vlanid=1004" 
    Condition2                              0x100c      "172.16.15.11" 
     
    
    Number 0x57 is NAS-Port-Id attribute number.

    After this steps NPS do ALLOW for all Access-Requests with next conditions:

    1. Request from Client 172.16.15.11 

    2. NAS-Port-Id contains "vlanid=1004"

    3. NAS-Port-Type = Ethernet

     


    • Edited by AMurchick Tuesday, October 18, 2011 5:54 AM
    • Marked as answer by AMurchick Tuesday, October 18, 2011 5:54 AM
    Tuesday, October 18, 2011 5:53 AM

All replies

  • Hi,

     

    Thanks for posting here.

     

    What Radius client are you using now ?

    Maybe you can take look the “gateway” category in conditions and the article below:

     

    RADIUS Protocol

    http://technet.microsoft.com/en-us/library/dd197481(WS.10).aspx

     

    for more please refer to the introductions:

     

    Network Policy Conditions Properties

    http://technet.microsoft.com/en-us/library/cc731220(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 17, 2011 8:22 AM
  •  

    Hi,

     

     

    Thanks for posting here.

     

    What Radius client are you using now ?

    Maybe you can take look the “gateway” category in conditions and the article below:

     

    RADIUS Protocol

    http://technet.microsoft.com/en-us/library/dd197481(WS.10).aspx

     

    for more please refer to the introductions:

     

    Network Policy Conditions Properties

    http://technet.microsoft.com/en-us/library/cc731220(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Hi!

    Radius client - ethernet switch 3com 775x

    In Gateway category no such attribute Nas-Port-Id(87) found.

    Only Nas-Port-Type and Nas-Identifier attributes are found.

    In NPS Logs attribute Nas-Port-Id is present (look for "slot=2;subslot=0;port=33;vlanid=1004"):

    172.16.15.11,6400f1d5864f,10/17/2011,18:11:18,IAS,NPS,4,172.16.15.11,32,7750-CO-S2-A8-Uxx,5,33690604,87,slot=2;subslot=0;port=33;vlanid=1004,61,15,6,2,7,1,31,6400-f1d5-864f,26,0x0000002B1A0600000F69FF0753363530363C1B302E302E302E302036343A30303A66313A64353A38363A34663B0649E677C6,4108,172.16.15.11,4116,43,4128,7750-CO-S2-A8,4154,Ethernet,4155,1,4129,BWC\6400f1d5864f,4130,BWC\6400f1d5864f,25,311 1 172.16.15.20 10/14/2011 06:58:49 8759,4127,1,4136,1,4142,0
    

    Any ideas?

    Thanks!

    • Edited by AMurchick Monday, October 17, 2011 9:15 AM
    Monday, October 17, 2011 9:14 AM
  • Solved.

    Steps:

    1. Make new Connection Request Policy with 2 conditions (output of "netsh nps show config" command):

     

    Connection request policy configuration: 
    --------------------------------------------------------- 
    Name             = !!!DO NOT MODIFY!!! Ethernet & VLAN1004 & from 172.16.15.11 
    State            = Enabled 
    Processing order = 2 
    Policy source    = 0 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x3d        "^15$" 
    Condition1                              0x100c      "172.16.15.11" 
    
    


    2. Export configuration to XML via "netsh nps export filename=config.xml"

    3. Find out Connection Request Policy:

     

    <Ethernet___VLAN1004_from_ROUTER name="Ethernet &amp; VLAN1004 from ROUTER"><Properties><Opaque_Data xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></Opaque_Data><Policy_Enabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</Policy_Enabled><Policy_SourceTag xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">0</Policy_SourceTag><Template_Guid xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{00000000-0000-0000-0000-000000000000}</Template_Guid><msNPAction xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">Copy of Ethernet</msNPAction><msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("NAS-Port-Type=^15$")</msNPConstraint><msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("Client-IP-Address=172.16.15.11")</msNPConstraint><msNPSequence xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">2</msNPSequence></Properties></Ethernet___VLAN1004_from_ROUTER>

    4. Add inside (between "NAS-Port-Type=^15$" and "Client-IP-Address=172.16.15.11")

     

    <msNPConstraint xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">MATCH("NAS-Port-Id=vlanid=1004")</msNPConstraint>

     

    5. Import config back to NPS via "netsh nps import filename=config.xml"

    Check for our 3rd condition (output of "netsh nps show config" command):

    Connection request policy configuration: 
    --------------------------------------------------------- 
    Name             = !!!DO NOT MODIFY!!! Ethernet & VLAN1004 & from 172.16.15.11 
    State            = Enabled 
    Processing order = 2 
    Policy source    = 0 
    
    Condition attributes: 
    
    Name                                    Id          Value 
    --------------------------------------------------------- 
    Condition0                              0x3d        "^15$" 
    Condition1                              0x57        "vlanid=1004" 
    Condition2                              0x100c      "172.16.15.11" 
     
    
    Number 0x57 is NAS-Port-Id attribute number.

    After this steps NPS do ALLOW for all Access-Requests with next conditions:

    1. Request from Client 172.16.15.11 

    2. NAS-Port-Id contains "vlanid=1004"

    3. NAS-Port-Type = Ethernet

     


    • Edited by AMurchick Tuesday, October 18, 2011 5:54 AM
    • Marked as answer by AMurchick Tuesday, October 18, 2011 5:54 AM
    Tuesday, October 18, 2011 5:53 AM
  •  AMurchick,

    Your answer is 100% accurate.

    You are awesome.

    Regards.

    Saturday, June 3, 2017 12:20 AM