cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7036
Views
10
Helpful
9
Replies

Radius Connection Request Policies to support multiple Device Logins

AFlack20
Level 1
Level 1

Hi all,

My question is in regards to configuring a NPS on windows server 2016. When I attempt to add multiple devices to the Connection Request Policy that I have configured it seems to break the authentication process. It would seem that I need to create an additional Connection Request Policy for each device?

Can anyone please let me know if this is normal or perhaps my configuration may need some fine tuning?

Thx

1 Accepted Solution

Accepted Solutions

The term "operator" in the context of an expression means things like 'OR' or 'AND'.

e.g. if   ( Router1 OR Router2 OR Router3 ) then apply Policy X

 

I don't know exactly what your intent is for you NPS policy - if you can explain what you're trying to do then we can perhaps help. From your example screenshots it looks as if you're doing RADIUS Device Admin to allow operators access to your switches. If you only have two switches then the problem is fairly simple to solve with a single regular expression. But if you wanted to manage hundreds of devices then the logic in NPS would surely be expressed in a more efficient/scalable way. I am imagining that perhaps you'd use a Group concept of some kind. I will say that I am no NPS expert at all and if there are better ways of doing this in NPS then the Cisco forum might be best effort.

 

The regular expression would entail things like this below for an EXACT match of either of these two switches:

C303-3750X-24P-U9|C303-3850-24P-U14

 

The regex depends on what you're hoping to match on. e.g. if you wanted all devices that start with C303 then use the expression:

^C303

 

And if you want to practise your regular expressions with some guidance, I can't recommend www.regex101.com highly enough - I use it every time.

regex101.PNG

 

View solution in original post

9 Replies 9

Arne Bier
VIP
VIP

It's been ages since I touched an NPS server - can you provide a screenshot perhaps?

In ISE you can list multiple IP addresses against a single RADIUS client definition. And the important part is that you include the IP subnet mask as a clarification of how many hosts are covered by that IP address.

e.g.

a single host: 10.10.10.5/32

all 254 hosts in the subnet:  10.10.10.0/24

 

Perhaps NPS has something similar.

Not exactly sure what it is that you want to see, but heres some screen shots...NPS1.PNG

First screen shot is of the connection request policy with only one device allowed

Putty1.PNG

Second screen shot is a successful ssh session established using the above configuration in the NPS server.

NPS2.PNG

Third screen shot is of the connection request policy with an additional device added to the policy.

Putty2.PNG

Last screen shot is of a failed SSH connection now that an additional device has been added to the connection request policy.

Also let me know it there's anything else more specific you'd like to see.

Thx!

This required more information on NPS side, look at the event viewer to see why it was failed. ?

 

device passing information to NPS, now NPS decision what is to be done. (by looking at logs or pos the logs here to  guide better)

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Oh now it's clear to me. The screen resolution is a bit fuzzy but I think I see what's goingon.

 

You have two Conditions that are implicitly joined with an AND operator. This means both conditions have to be true for the Condition to be met.

I would say the solution would be to create two Policies, one per device type. Each Policy only checks for a single condition.

If a policy does not match then NPS will try the next - top down approach.

 

Why do you need to treat these two devices differently? Do they require different RADIUS attributes because of their name/model/location etc.? If not, then stick with one policy and make the condition less restrictive, to allow it to cater for both device types. 

I agree, Connection Request Policies should be more general, however it is possible to add an OR-operator to the value field. I've used various Regular Expressions in this field and It usually works very well.

 

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-reg-expressions

 

Oh very neat - I will keep that in mind.

Arne, thank you for the reply. I think I understand what you're saying with regard to the conditions, but I'm not entirely clear as to what the operator would be in this instance? For example the condition would be the Client Friendly Name with the value of the hostname for the switch, router, asa etc... and the connection request policy would be the operator itself?

To answer your question I don't need to treat these devices with different privilege levels or anything like that. I was just trying to avoid having to make a separate connection request policy for each device. 

Just to be clear on your last statement; You would suggest making the value of the condition of the client friendly name more generic so that it will match multiple devices? Perhaps by using regular expressions as suggested by @Baconframe ?

Does anyone have a working example of this technique? I'm just not particularly well versed with regular expression...

The term "operator" in the context of an expression means things like 'OR' or 'AND'.

e.g. if   ( Router1 OR Router2 OR Router3 ) then apply Policy X

 

I don't know exactly what your intent is for you NPS policy - if you can explain what you're trying to do then we can perhaps help. From your example screenshots it looks as if you're doing RADIUS Device Admin to allow operators access to your switches. If you only have two switches then the problem is fairly simple to solve with a single regular expression. But if you wanted to manage hundreds of devices then the logic in NPS would surely be expressed in a more efficient/scalable way. I am imagining that perhaps you'd use a Group concept of some kind. I will say that I am no NPS expert at all and if there are better ways of doing this in NPS then the Cisco forum might be best effort.

 

The regular expression would entail things like this below for an EXACT match of either of these two switches:

C303-3750X-24P-U9|C303-3850-24P-U14

 

The regex depends on what you're hoping to match on. e.g. if you wanted all devices that start with C303 then use the expression:

^C303

 

And if you want to practise your regular expressions with some guidance, I can't recommend www.regex101.com highly enough - I use it every time.

regex101.PNG

 

Just trying to use the NPS to authenticate users that want ssh access to devices against AD and allow users that pass this authentication to receive privilege level 15 once authenticated.
The "or" operator of | seems to be working. I have a fairly small environment of less than 20 devices. Ideally I will become familiar enough with regular expressions to make that syntax more streamlined in the future but this work for now.
Thanks again @Arne Bier 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: