Solved: modify RADIUS client attributes sent by switch

tato386 · ‎06-19-2014

I recently started using NPS to authenticate logins to my Cisco devices and I have the basics working. However I have a need to add an additional matching constraint to my NPS network policies.

Right now I am using RADIUS client friendly name and/or IP address but I don't find that the pattern matching syntax of these NPS constraints can do what I need without have to create literally dozens of policies. I need to somehow add a custom attribute to a certain group of switches so that I can "filter" out which Windows AD group can login to them by using a deny policy that matches this custom attribute.

From the NPS constraint list I see I have some options like "Called Station ID", "NAS ID" and "Client Vendor ID", etc available. If there was a way to modify these attributes on the switch and send them to the NPS then I could achieve what I want. For instance I could configure the "Client Vendor ID" of my special switches with some custom data that I could then use to match on the deny NPS policy.

Any ideas?

TIA

nspasov · ‎06-20-2014

Hello again Diego :)

I checked with a friend that has used NPS more than me and he was also not aware of a way to create "location groups" in NPS or something similar to where you can distinguish between two different NADs.

However, he did provide an interesting solution. He suggested that we use a regular expression in the NAS Identifier field in NPS. The regex would be for the IP subnet for that particular site. For example, let's say that you have two sites:

1. Site A: With local subnet of 192.168.30.x /24

2. Site B: With local subnet of 10.10.1.x /24

In NPS you can build a rules like this:

If

NAS Identifier is 10\.10\.1\.*

and

AD Group is Site_B_Admins

Then

Full access

And for Site A

If

NAS Identifier is 192\.168\.30\.*

and

AD Group is Site_A_Admins

Then

Full access

Of course, for this to work, each site would have to have a unique subnet that does not overlap with any other sites.

Hope this gives you some sort of a solution

View solution in original post

nspasov · ‎06-20-2014

Hello again Diego :)

I checked with a friend that has used NPS more than me and he was also not aware of a way to create "location groups" in NPS or something similar to where you can distinguish between two different NADs.

However, he did provide an interesting solution. He suggested that we use a regular expression in the NAS Identifier field in NPS. The regex would be for the IP subnet for that particular site. For example, let's say that you have two sites:

1. Site A: With local subnet of 192.168.30.x /24

2. Site B: With local subnet of 10.10.1.x /24

In NPS you can build a rules like this:

If

NAS Identifier is 10\.10\.1\.*

and

AD Group is Site_B_Admins

Then

Full access

And for Site A

If

NAS Identifier is 192\.168\.30\.*

and

AD Group is Site_A_Admins

Then

Full access

Of course, for this to work, each site would have to have a unique subnet that does not overlap with any other sites.

Hope this gives you some sort of a solution

tato386 · ‎06-23-2014

Neno,

Yes, this is what I ended up doing. It is not the most elegant solution but will do for now. It would be great if I could have added some type of identifier to individual devices for more granular control but then again I guess that is what ACS is for, right? Beggars can't be choosers.

Thanks for your help and input.

Diego

nspasov · ‎06-24-2014

Ha ha "Beggars can't be choosers" very well put Diego :) But yes, I also wish there was a better way to group things in NPS. That is why ACS and ISE are paid and NPS comes for free :)

Glad you were able to figure it out (+5) from me. If your issue is resolved you should probably mark is as "answered"