Add the NAS type and AD group membership conditions (must be members of the staff group):ģ. Policies are assessed top-down, so make sure the policies that need to be hit are enabled and above any disabled polices.Ģ. Note that when configuring multiple policies, the order of the policies is important. Here is the policy summary screen within NPS. The screen-shots below outline the configuration required. School Wireless – Students (to assign members of the students AD group to VLAN 20).School Wireless – Staff (to assigned members of the staff AD group to VLAN 10).To configure NPS to provide the VLAN assignments outlined above, we will create 2 policies within NPS: Now we’ll take a look at how we achieve this using NPS. Also, note that this is all being done on a single SSID (“School” in this case). VLAN 20 has an ACL which only allow access to the learning system VLAN and the Internet related services.īy studying the example above, you can see that if we can control a users VLAN assignment, based on their AD group membership, we can ensure that they only receive the network access to which they are entitled (purely via their AD group membership). The ACL would generally be configured on the layer 3 switch or router that interconnects the school VLANs) VLAN 10 has an ACL (access control list) that allows users on this VLAN to access all systems across the school network. Here is an overview of what the network might look like (this is obviously very simplified, but gives an overview of the type of thing that might be achieved): We’ll have a look at how we specify each of these attributes in an NPS policy.įor our example, we’ll assign all ‘staff’ users to VLAN 10 and all ‘student’ users to VLAN 20. The other elements that need to be returned by NPS are: There are a few other elements which need to accompany it, but this is the key element, as it specifies the VLAN number that the user should be assigned to. the WLC or AP) by the authentication server (i.e.NPS) when a successful authentication has been achieved. This is a RADIUS attribute that may be passed back to the authenticator (i.e. The key to getting this to work is the use of a RADIUS element called: ‘Tunnel-PVT-Group-ID’. Here’s an example of how to configure NPS to assign users to a VLAN based on their user group, using NPS for the authentication and authorization of users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |