M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

Filter NPS policy on advanced RADIUS attributes

 
Highlighted
LeoKurz
Occasional Advisor

Filter NPS policy on advanced RADIUS attributes

Hello,

 

I use a MSM710 with a Microsoft 2008R2 NPS as RADIUS server. Now I want to configure different authentications for different VSCs. HP sends the required information in vendor-specific attributes (Colubris AV-Pair, enterprise code 8744, attribute type number 0) e.g. ssid=<SSID>incoming. How can I access these attributes in a network policy to filter the authentication?

 

Any help appreciated!

 

__Leo

1 REPLY 1
Highlighted
Peter_Debruyne
Honored Contributor

Re: Filter NPS policy on advanced RADIUS attributes

Hi,


This is not an easy one, the Windows NPS GUI does not allow you to configure this, but this should do the trick in the command line. Be carefull, since these custom changes do not appear in the GUI, they can only be seen by the command line again.

# review current policy conditions and attributes
netsh nps show np

# sample output

Network policy configuration:
---------------------------------------------------------
Name             = Wired-802.1x-PEAP
State            = Enabled
Processing order = 6
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1023      "S-1-5-21-2634562202-3359562768-3642344099-513"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
EAP-Configuration                       0x1fa2      "1900000000000000000000000000000038000000020000003800000001000000140000002A7BF0794279DDB5E0F2D01AE8FBCDC6F1B2AA470100000001000000100000001A00000000000000"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Allowed-EAP-Type                     0x100a      "19000000000000000000000000000000"
NP-Authentication-Type                  0x1009      "0x5"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"

# take note of the current condition(s), you need to repeat the condition when you edit the policy.
# if it is not repeated, the new commands simply overrides the current condition(s)

# now modify the policy, remember to repeat the existing condition(s), in this case just 1 (this example is a windows group membership)
# on top of the existing setting, you need to add the vendor specific condition:
# conditionid = "0x1a"    
# this is 26, meaning vendor specific attribute

# conditiondata = "0100002228000Bssid=test"    
# not entirely sure, but the 0x2288 part represents the vendor code 8744.
# I have found this by setting in an existing profile the profile settings with vendor specific : 8744, code 0, type string, value ssid=test
# Next use "netsh nps show np" and review the configured settings in the profile. These are the values you can use in your condition.

# so, sample command:
netsh nps set np name = "Wired-802.1x-PEAP" state = "enable"  conditionid = "0x1023" conditiondata = "S-1-5-21-2634562202-3359562768-3642344099-1112" conditionid = "0x1a" conditiondata = "0100002228000Bssid=test"

# review :
netsh nps show np

# sample output, do not bother the policy order value, this just depends on the number of policies you have defined on the NPS:

Network policy configuration:
---------------------------------------------------------
Name             = Wired-802.1x-PEAP
State            = Enabled
Processing order = 6
Policy source    = 0

Condition attributes:

Name                                    Id          Value
---------------------------------------------------------
Condition0                              0x1023      "S-1-5-21-2634562202-3359562768-3642344099-1112"
Condition1                              0x1a        "0100002228000Bssid=test"

Profile attributes:

Name                                    Id          Value
---------------------------------------------------------
EAP-Configuration                       0x1fa2      "190000000000000000000000000
0000038000000020000003800000001000000140000002A7BF0794279DDB5E0F2D01AE8FBCDC6F1B
2AA470100000001000000100000001A00000000000000"
NP-Allow-Dial-in                        0x100f      "TRUE"
NP-Allowed-EAP-Type                     0x100a      "190000000000000000000000000
00000"
NP-Authentication-Type                  0x1009      "0x5"
MS-Quarantine-State                     0x1faf      "0x0"
Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
Framed-Protocol                         0x7         "0x1"
Service-Type                            0x6         "0x2"


Best regards,Peter