IP-based group-mapping with AD - user in multiple groups

christian.voelz · ‎04-07-2006

Hi everyone,

I have an evil task do and I'm nearly despairing...

Our customer has an Active Directory with several users, authenticating with ACS agains AD is no problem.

The customer has access-device A which is for laptop-users and a mobilephone provider, access B is for the pc at home which dials in via IDSN.

There are two groups in AD one for device A and one for device B. So far so good, if a users authenticates from device A he should get IP-Pool A and IP-Pool B if he comes from device B.

Unfortunately there are many users which are in group A AND(!) B. ACC stops processing the group-mapping when he reaches the first match with is alphabetically group A.

Next thing I tried was the use of Network Access Profiles, with no effort, because ACS only processes groups until the first match.

Did anyone accomplish this job?

To summarize it: if you come from device A - you have to be in group A and you will get IP-Pool A, vice versa for device B. But what when you are in both windows groups?

Thanks in advance!

Chris

darpotter · ‎04-11-2006

Hi..

Ok, so forget group mapping from AD. What you have here are two seperate network services that require individual provisioning... what I call "Service Differentiated Provisioning"

This is where Shared RADIUS Authorisation Profiles come in (I know because I deisgned them :)

Create a NAF for each device - simplest by using their IP addresses.

Next create two shared RACs - one for each service (mobile & home). Inside use RADIUS attributes to assign the ip pool depending on your RADIUS vendor (Cisco?)

eg cisco-av-pair = ip:addr-pool=poolA

Next create the two NAPs - one for mobile access and the other for home access by selecting the appropriate NAF to activate on. Select the authentication types (MSCHAP) and databased (Windows)

Next, edit the Authorisation part of each NAP. Uncheck the tick boxes "Include attributes from user & group records" - this will merge attributes from group, RAC and user... gets MESSY. Anyway you should see a default rule displayed "If a condition is not defined...." - in the Shared RAC dropdown select the RAC that is appropriate for the NAP (ie mobile or home). Then submit.

At this point to avoid clashes... remove any ip allocation settings in the ACS groups A & B.

You should now be able to authenticate users on each network service. They will still map to an ACS group (as before). However the ip pool allocation will now come from the relavent RAC instead of a group.

It may look complicated (um, guess it is) and the NAP pages are not very friendly, but if you work through these steps it should work a treat.

If you run CSRadius -z -p from the command line you'll see all the extra helpful debug I put in :)

Now all you need to do is download the trial of extraxi aaa-reports! (www.extraxi.com) so that you can generate reports to audit the fruits of your labours!

Good luck

Darran

christian.voelz · ‎04-23-2006

Hi Darran,

it's been a while...but thanks for your reply!!

I set up everything as you described. I use a very handy radius-ping-tool (ntradping from dialways) to check if the configuration works - and acs behaves as you describe.

There is one more question I have concerning the ip-pools. In this configuration the IPs are not distributed by acs itself but by the AAA-device (radius A or B) who contacts acs? Does this mean that the ip-pools have to be configured on the radius-clients (can there be more than 254 adresses on this devices?)?

Is there any chance to distribute IPs by acs?

I will have a look at extraxi.com for your obviously excellent reporter ;-))

best regards

Christian

mmoranzo · ‎03-14-2008

Hi Christian!

You could distribute IPs from ACS (using diferent pools)?

Thanks and regards. MartÃn