Posted in Aruba

Traffic filtering on Aruba AP

   12/11/2018  Leave a comment

I was asked by a customer  to filter trafic on WIFI network. So I used the ability to use attributes returned by radius server to apply filtering rules on IAP cluster.

Some technical information about the installation :

  • AP 303 in instant controller mode in version 8.3.0.3
  • Radius server is NPS role on Windows server
  • Windows server with Active Directory
  • Airwave in version 8.2

Nothing new regarding initial installation and configuration for NPS role on windows server.

Below, the scheme validated by customer to authentify their users.

Authentication scheme

This client has a mix of domain computer and BYOD device (android and apple phone, personnal computer).

Rules were defined as follows :

  • Customer’s computer in domain should be authentified directly without user authentication
  • Others equipments can be authentified using users authentication depending on the security group affected to the user

To do that, I used the ability to match special string returned by NPS server with role created on IAP controler. Then, I create filtering rule based on created role. In short, radius attribute = role.

As you can see above, default role is the name of the SSID, then a role is applied depending off string (Callback_number attribute) received from radius. Multiples roles are configured to filter several networks.

In details for a WIFI supplicant that is a computer in AD domain:

  1. WIFI client start EAP connexion to AP
  2. AP forward identity to radius
  3. NPS verify that the computer is from the group Computer in domain
  4. NPS grant or refuse the access and return special string to the IAP controler
  5. IAP controler apply filtering rule according to the string returned 

In details for a WIFI supplicant with computer not in AD domain but with a user account member of special security group in AD:

  1. WIFI client start EAP connexion to AP
  2. AP forward identity to radius
  3. NPS verify that the computer is from the group Computer in domain
  4. NPS pass this rule because computer is not in domain. Next rule is matched (security group match)
  5. NPS grant or refuse the access and return special string to the IAP controler
  6. IAP controler apply filtering rule according to the string returned
Avatar photo

Author: Kévin SAS

Hello, I'm Kévin SAS, an experienced Network and Security Engineer based in France. Over the years, I have had the privilege of working with a diverse range of clients, providing expert solutions in areas such as Wireless, LAN, Datacenter, and VoIP. I have hands-on experience with leading brands like Cisco, HPE, Aruba, Palo Alto, and many others. Having previously worked for a reputable service provider, I now find myself in a dynamic role as part of an integrator team, where I continuously expand my knowledge and skills. This blog serves as a repository of technical notes and insights that I am enthusiastic about sharing with fellow professionals and enthusiasts.

Leave a Reply

Your email address will not be published. Required fields are marked *