Windows NPS Server and Aerohive AP

  • 1
  • Question
  • Updated 3 years ago
I want to setup Aerohive AP's and Windows 2013 NPS to only allow domain joined computers on the network.. I successfully setup the Aerohive as a radius server and was able to connect to the ssid using domain credentials, but this config allowed for all devices as long as you had a username and password. So I scratched that and am now going the route of using an external radius. I just want restrict the SSID to only allow domain joined devices to use it. I(don't really care about user authentication using NPS) Why is there not a step by step instructions on how to do this? All I come across is fragmented pieces of how to do it. Please, if someone could direct me to some clear instructions I would appreciate it. Thanks
Photo of massos206

massos206

  • 5 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of AJ Nurcombe

AJ Nurcombe

  • 11 Posts
  • 1 Reply Like
Hi Massos,

This is a very useful video - http://blogs.aerohive.com/blog/wifihowtoblog/how-to-configure-microsoft-nps-to-pass-user-profile-attributes-to-an-aerohive-ap

If you are still having issues, please send me an email (anurcombe@aerohive.com) and I can send you step by step instructions on how to achieve this. 

Many thanks,

Ashley
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
What Ashley says! :)

In addition to that, the two approaches that you can use with the RADIUS attributes returned in the Access-Accept are discussed here: https://community.aerohive.com/aerohive/topics/radius-nps-server-configurations
Photo of massos206

massos206

  • 5 Posts
  • 0 Reply Likes

I watched it and it has some good info and it seems pretty straight forward to authenticate users or groups. 

What would be the steps if I just wanted the "Domain Joined" devices to be able to access the SSID with no regard to what user it is? 

My thought that this would have to be done pre-login of the user kind of like 802.x on a switch port and wired network.

 It looks like I'm going to need step by step:(


Thanks

Photo of Dawn Douglass

Dawn Douglass

  • 67 Posts
  • 3 Reply Likes
If I understand your question correctly you are using an Aerohive AP as a Radius proxy and Windows Server NPS to do the authentication against AD and want to limit associations to only domain joined devices.   In this case, I would create and NPS policy and include the condition that the account must be a member domain\domain computers.  If you need more detail, just let me know. of 
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
When a Windows device joins a domain the process is as follows:

  1. Windows device is powered on.
  2. The Windows device completes machine (computer) authentication.  This is required for various domain processes including the ability for users to change their password upon expiry.
  3. The Windows device displays the CTRL+ALT+DEL screen.
  4. The user enters their domain  credentials.
  5. The Windows device completes user authentication.
  6. The user now has access to the domain.
The machine (computer) and user authentication are unique authentication processes so NPS cannot only allow access if machine (computer) AND user authentication complete successfully.  Therefore, as a number of people have advised, the only way to only allow domain devices to authenticate (without using client side certificates, which I will assume is more than you want) is to have a single RADIUS rule completing machine (computer) authentication.  The user authentication is then handled by the domain infrastructure. 
Photo of massos206

massos206

  • 5 Posts
  • 0 Reply Likes
Thanks.  I now have it all setup to where I can return the necessary attributes to Aerohive.(this required setting up a certificate on the NPS - the Aerohive Radius test works even if you don't have a certificate because it doesn't use EAP -confusing!!!)  The next thing I'm a bit fuzzy on is the the user profiles when using Radius.  It appears that there has to be a default and an authenticated profile.  Can you not just set it up with one profile and if it doesn't match - disconnected???  Or, do you have to set it up with a default profile and a authenticated profile.  I read somewhere where you have to set a default profile that goes to a phony VLAN or a schedule that can't be matched and then setup the authenticated profile with the one that matches your returned attribute.  Is that correct?? 

Thanks
Mark
Photo of AJ Nurcombe

AJ Nurcombe

  • 11 Posts
  • 1 Reply Like
Yes this is correct. You have to set the default user profile and at least one authenticated profile. Dependent on the number of attributes returned, you have have multiple authenticated user profiles for multiple RADIUS attributes.
Photo of massos206

massos206

  • 5 Posts
  • 0 Reply Likes

I'm really confused now.  I set it up as Crowley mentined above.  I have one condition in my NPS policy that says "Domain Computers".  This seems to work when I power up the machine - I look into the event log of the NPS server and it says I was granted access to the server.

What happens next is the problem.  As soon as I login with my domain credentials it disconnects me from the wireless.  If I look in the NPS event log it says I was denied access because of my user isn't in a group.

Why is it trying to authenticate my user after it already authenticated my machine and gave me access to the network.  Is this a Aerohive thing or a windows thing.

If I try to add "Domain Users" in to the policy along with the "Domain Computers" then it denies me with a message saying that I don't have the allow on in the "Dial up Properties" even if it is on.

Please advise.


Thanks

Mark


Photo of massos206

massos206

  • 5 Posts
  • 0 Reply Likes

I had to change the Wireless Properties>Security>advanced properties>802.1x settings>Specify Authenication Mode to "Computer Only" and then it works. 


The problem is that you have to be connectd to the SSID before you can adjust and save the properties.  Am I missing something here????

Photo of Ken Maynard

Ken Maynard

  • 3 Posts
  • 0 Reply Likes
massos306: Your scenario is exactly what I want to do. I can hardly wait for the next instalment! I am just hoping it's sorted before term starts! Thanks Crowdie for your explanation of domain connection/login. But this surely must be a common requirement: "Only allow domain computers to connect", and then "let windows do its thing to authenticate the logging-in user"? An easy-to-follow how-to would be really great. I wouldn't have a problem with distributing certificates when we issue the laptops, if that could be included in a how-to (especially if it would make logging-in easier).

The key thing in our school environment is that the user login experience should be the same as when they plug in to the wired network, that is, they boot up, login and go. The additional requirement is to stop the university students in nearby accommodation using our internet bandwidth via wireless.

We grant bona fide guests access with a code-of-the-day when they check-in at reception. This gives them internet-only access.

We currently serve domain users with a hidden SSID, and a password I enter when issuing the laptops. This is a miserable failure because if this connection fails, they reconnect using the guest SSID as the only one visible, and then complain they can't get at our server facilities. It also fails on security grounds. I have detected a few BYODs on the hidden SSID, so the password secret is (unsurpisingly) out!

I am hoping to distribute whatever is necessary to the laptops to connect as domain computers with a GPO, and then deny access to the guest SSID and the current hidden one a bit later on. Does this seem a reasonable approach? There are about 80 wireless laptops, 40 wired desktops and 350 users. There are 18 wireless APs. It's a 2012R2 domain. The chicken-and-egg problem with a GPO can be addressed by using a wired connection for startup configuration.

I have got as far as adding a new SSID to the site policy, with a RADIUS server set as a Windows NSP on one of the domain servers. I have uploaded to one AP330, and got a result from the TEST RADIUS feature of the online manager. I am now playing with the configurations of the NPS and AP, and am groping in the dark!