How do you use classification policy to change user profile based upon if the device is in the AD domain?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
The scenario is RADIUS/NPS is on a Windows 2008 R2 server. I have 802.1x working well on this network. However, I mistook how the client classification worked until I read the details in the help section. I was assuming that when I setup the client classification policy so that if it recognizes the client is on the AD domain then I can redirect that user to a different profile it would occur based upon the actual computer account being on the domain. After reading the help I see that it determines this by the user account used to authenticate. Well the whole school is on AD so even if they are using a BYOD iPad they are authenticating on the domain with their user account. The school wishes to keep the school provided (domain based) computers on one profile and all BYOD (also authentcated via 802.1x) on another profile. Can I accomplish this with one SSID? At this point I setup the client classification so that all "Windows" OSs will be provided the one profile leaving all other OSs on the second profile. This will not work if someone walks in with their own Windows device but it is enough to hold things until I figure this out.

Thanks again for any assistance.
Photo of Shane Walters

Shane Walters

  • 23 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
In a nutshell you can configure the Windows domain clients for PEAP MSCHAPv2 authentication using "user or computer authentication" and create a RADIUS policy that checks the computer authentication against Active Directory and returns the appropriate user profile attribute as a RADIUS attribute. Therefore you don't need to use client classification.

The RADIUS attributes to return are as follows:

Tunnel Type = GRE (value=10)
Tunnel Medium Type = IP (value=1)
Tunnel Private Group ID = [User Profile Attribute]
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Technically, it is better not to use the Tunnel-Private-Group-Id as attribute to map to a User Profile as it violates intent of the attribute in the RADIUS RFCs and couples/overloads where it should not. (It is a layering violation in technical jargon.)

You should instead use the Filter-ID as this is standards based. It is fully supported by HiveManager/HiveOS.

For 802.1X, RFC3580 states that the following basic attributes should be present:

"Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID"

The Filter-ID is documented in the RFC as follows:

"3.9. Filter-ID

This attribute indicates the name of the filter list to be applied to
the Supplicant's session. For use with an IEEE 802.1X Authenticator,
it may be used to indicate either layer 2 or layer 3 filters. Layer
3 filters are typically only supported on IEEE 802.1X Authenticators
that act as layer 3 devices."

To perform computer based authentication, simply issue the computers with a digital certificate automatically via a Certificate Server and appropriate Group Policy configuration as well as appropriate supplicant configuration, and check for a domain machine in an appropriate NPS condition on a Network Policy...
Photo of Shane Walters

Shane Walters

  • 23 Posts
  • 2 Reply Likes
Thanks to both for the replies. I am new to HMOL but have learned a ton implementing 22 APs at a school client of mine. Is there any documentation that explains how to do this on the HMOL side? I think it would be pretty easy to simply ad another condition on the Radius server stating that if the computer belongs to the "Domain Computers" group that it is allowed access. However, I'm not sure how to configure HMOL. I've attached the only section that I understand how to reassign a user profile.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Good question: Take a look at 5-1r1_HiveOS-HiveManager_NewFeatures

Filter-ID based user profile assignment is documented well there under "User Profile Assignments from Returned RADIUS Attribute Values".

You'll specify the VLAN with the Tunnel-Private-Group-ID AVP, you'll specify the User Profile via the Filter-Id AVP.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Screen shot from Aerohive's excellent documentation: