• Microsoft Nps Radius
• Dynamic Vlan Assignment Microsoft Nps Radius Server Login
• Microsoft Radius Server
• Windows Server 2016 Nps Radius

I need to provide remote network access that is restricted depending on the user that dials in (i.e. different users are placed on different VLANs).

I will then implement firewall security (on a separate hardware firewall) between VLANs to restrict what users can access.

Is there any way to assign different users to different VLANs based on their user credentials used during VPN initiation?

NPS 802.1X VLAN Assigment configuration I have been tasked to configure an NPS server to do VLAN assignment based on user authentication credentials. We want for wireless and wired connections to get a VLAN assigned based on the computer account or user authentication. I know 802.1x enough, but not enough to tell you all options. One thing to keep in mind is this. Not all switches support the dynamic VLAN assignment. For example; I now have a Cisco Small Business Wireless Access Point that allows 802.1x authentication, but apparently does not support dynamic VLAN assignment on it.

1 Answer

I think NPS (Network Policy Server / RADIUS) is capable of doing this, however, I'm not sure if it is possible trough VPN:

VLAN Attributes Used in Network Policy

VLAN attributes used in network policy

When you use network hardware, such as routers, switches, and access controllers that support virtual local area networks (VLANs), you can configure Network Policy Server (NPS) network policy to instruct the access servers to place members of Active Directory® groups on VLANs.

Before configuring network policy in NPS for VLANs, create groups of users in Active Directory Domain Services (AD DS) that you want to assign to specific VLANs. Then when you run the New Network Policy wizard, add the Active Directory group as a condition of the network policy.

You can create a separate network policy for each group that you want to assign to a VLAN. For more information, see Create a Group for a Network Policy.

When you configure network policy for use with VLANs, you must configure the RADIUS standard attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type. Some hardware vendors also require the use of the RADIUS standard attribute Tunnel-Tag.

To configure these attributes in a network policy, use the New Network Policy wizard to create a network policy. You can add the attributes to the network policy settings while running the wizard or after you have successfully created a policy with the wizard.

Note

• To add the attributes after you have created the network policy with the wizard, locate the policy in the NPS console and double-click the policy to open it. Click the Settings tab in the policy properties, ensure that RADIUS Attributes - Standard is selected, and then click Add. In the Add Attribute dialog box, add the following attributes.

Tunnel-Medium-Type. Select a value appropriate to the previous selections you made while running the New Network Policy wizard. For example, if the network policy you are configuring is a wireless policy, in Attribute Value, select 802 (Includes all 802 media plus Ethernet canonical format).

Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. For example, if you want to create a Sales VLAN for your sales team by assigning team members to VLAN 4, type the number 4.

Tunnel-Type. Select the value Virtual LANs (VLAN).

Tunnel-Tag. Some hardware devices do not require this attribute. If your hardware device requires this attribute, obtain this value from your hardware documentation.

Not the answer you're looking for? Browse other questions tagged vpnvlanrrasdynamic-vlan-assignment or ask your own question.

IEEE 802.1X standard for port-based networkaccess control and protects Ethernet LANs from unauthorized user access.It blocks all traffic to and from a supplicant (client) at the interfaceuntil the supplicant's credentials are presented and matched on theauthentication server (a RADIUS server). When the supplicant is authenticated,the switch stops blocking access and opens the interface to the supplicant.Read this topic for more information.

802.1X for Switches Overview

How 802.1X Authentication Works

802.1X authentication works by using an authenticator portaccess entity (the switch) to block ingress traffic from a supplicant(end device) at the port until the supplicant's credentials are presentedand match on the authentication server (a RADIUS server). When authenticated,the switch stops blocking traffic and opens the port to the supplicant.

The end device is authenticated in single-secure supplicant mode, or Note

Configuring a VoIP VLAN on private VLAN (PVLAN) interfaces isnot supported.

The following features are supported to authenticate devicesthat are not 802.1X-enabled:

• Static MAC bypass—Provides a bypass mechanism toauthenticate devices that are not 802.1X-enabled (such as printers).Static MAC bypass connects these devices to 802.1X-enabled ports,bypassing 802.1X authentication.

• MAC RADIUS authentication—Provides a means to permithosts that are not 802.1X-enabled to access the LAN. MAC-RADIUS simulatesthe supplicant functionality of the client device, using the MAC addressof the client as username and password.

802.1X Authentication on Trunk Ports

Starting in Junos OS Release 18.4R1, you can configure802.1X authentication on trunk interfaces, which allows the networkaccess device (NAS) to authenticate an access point (AP) or anotherconnected Layer 2 device. An AP or switchconnected to the NAS will support multiple VLANs, so must connectto a trunk port. Enabling 802.1X authentication on the trunk interfaceprotects the NAS from a security breach in which an attacker mightdisconnect the AP and connect a laptop to get free access to networkfor all the configured VLANs.

Please note the following caveats when configuring 802.1X authenticationon trunk interfaces.

• Only single and single-secure supplicant modes are supportedon trunk interfaces.

• You must configure 802.1X authentication locally on thetrunk interface. If you configure 802.1X authentication globally usingthe server-fail-voip).

• Authentication on trunk port is not supported using captiveportal.

• Authentication on trunk port is not supported on aggregatedinterfaces.

• Configuration of 802.1X authentication on interfaces thatare members of private VLANs (PVLANs) is not supported on trunk ports.

Configuring 802.1X Interface Settings (CLI Procedure)

IEEE 802.1X authentication provides network edge security,protecting Ethernet LANs from unauthorized user access by blockingall traffic to and from a supplicant (client) at the interface untilthe supplicant's credentials are presented and matched on the

This setting specifies the number of attempts before theswitch puts the interface in a HELD state.

Understanding RADIUS-Initiated Changes to an Authorized UserSession

When using an authentication service that isbased on a client/server RADIUS model, requests are typically initiatedby the client and sent to the RADIUS server. There are instances inwhich a request might be initiated by the server and sent to the clientin order to dynamically modify an authenticated user session alreadyin progress. The client that receives and processes the messages isthe switch, which acts as the network access server, or NAS. The servercan send the switch a Disconnect message requesting to terminate asession, or a Change of Authorization (CoA) message requesting tomodify the session authorization attributes.

The switch listens for unsolicited RADIUS requests on UPD port3799, and accepts requests only from a trusted source. Authorizationto send a Disconnect or CoA request is determined based on the sourceaddress and the corresponding shared secret, which must be configuredon the switch as well as on the RADIUS server. For more informationabout configuring the source address and shared secret on the switch,see Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.

Disconnect Messages

The RADIUS server sends a Disconnect-Request message to theswitch in order to terminate a user session and discard all associatedsession context. The switch responds to a Disconnect-Request packetwith a Disconnect-ACK message if the request is successful, that is,all associated session context is discarded and the user session isno longer connected, or with a Disconnect-NAK packet if the requestfails, that is, the authenticator is unable to disconnect the sessionand discard all associated session context.

In Disconnect-Request messages, RADIUS attributes are used touniquely identify the switch (NAS) and the user session. The combinationof NAS identification attributes and session identification attributesincluded in the message must match at least one session for the requestto be successful; otherwise, the switch responds with a Disconnect-NAKmessage. A Disconnect-Request message can contain only NAS and sessionidentification attributes; if any other attributes are included, theswitch responds with a Disconnect-NAK message.

Change of Authorization Messages

Change of Authorization (CoA) messages contain information fordynamically modifying the authorization attributes for a user sessionto change the authorization level. This occurs as part of a two-stepauthentication process, in which the endpoint is first authenticatedusing MAC RADIUS authentication, and is then profiled based on thetype of device. The CoA message is used to apply an enforcement policythat is appropriate for the device, typically by changing the datafilters or the VLAN.

The switch responds to a CoA message with a CoA-ACK messageif the authorization change is successful, or a with CoA-NAK messageif the change is unsuccessful. If one or more authorization changesspecified in a CoA-Request message cannot be carried out, the switchresponds with a CoA-NAK message.

In CoA-Request messages, RADIUS attributes are used to uniquelyidentify the switch (acting as the NAS) and the user session. Thecombination of NAS identification attributes and session identificationattributes included in the message must match the identification attributesof at least one session for the request to be successful; otherwise,the switch responds with a CoA-NAK message.

CoA-Request packets also include the session authorization attributesthat will be modified if the request is accepted. The supported sessionauthorization attributes are listed below. The CoA message can containany or all of these attributes. If any attribute is not included aspart of the CoA-Request message, the NAS assumes that the value forthat attribute is to remain unchanged.

• Filter-ID

• Tunnel-Private-Group-ID

• Juniper-Switching-Filter

• Juniper-VoIP-VLAN

• Session-Timeout

CoA Request Port Bounce

When a CoA message is used to change the VLAN for an authenticatedhost, end devices such as printers do not have a mechanism to detectthe VLAN change, so they do not renew the lease for their DHCP addressin the new VLAN. Startingin Junos OS Release 17.3, the port bounce feature can be used to forcethe end device to initiate DHCP re-negotiation by causing a link flapon the authenticated port.

The command to bounce the port is sent from the RADIUS serverusing a Juniper Networks vendor-specific attribute (VSA). The portis bounced if the following VSA attribute-value pair is received inthe CoA message from the RADIUS server:

• Juniper-AV-Pair = “Port-Bounce”

To enable the port bounce feature, you must update the Junosdictionary file (juniper.dct) onthe RADIUS server with the Juniper-AV-Pair VSA. Locate the dictionaryfile and add the following text to the file:

For more information about adding the VSA, consult the FreeRADIUSdocumentation.

You can disable the feature by configuring the edit protocols dot1x authenticator interface interface-namemac-radius] hierachy level.

Error-Cause Codes

When a disconnect or CoA operation is unsuccessful, an Error-Causeattribute (RADIUS attribute 101) can be included in the response messagesent by the NAS to the server to provide detail about the cause ofthe problem. If the detected error does not map to one of the supportedError-Cause attribute values, the router sends the message withoutan error-cause attribute. See Table 1 for descriptions of error-cause codes that can be included in responsemessages sent from the NAS.

Table 1: Error-Cause Codes(RADIUS Attribute 101)

Filtering 802.1X Supplicants by Using RADIUS Server Attributes

There are two ways to configure the a RADIUS server withport firewall filters (Layer 2 firewall filters):

• Include one or more filter terms in the Juniper-Switching-Filterattribute. The Juniper-Switching-Filter attribute is a vendor-specificattribute (VSA) listed under attribute ID number 48 in the Juniperdictionary on the RADIUS server. Use this VSA to configure simplefilter conditions for 802.1X authenticated users. Nothing needs tobe configured on the switch; all of the configuration is on the RADIUSserver.

• Configure a local firewall filter on each switch and applythat firewall filter to users authenticated through the RADIUS server.Use this method for more complex filters. The firewall filter mustbe configured on each switch.

  Note

  If the firewall filter configuration is modified afterusers are authenticated using the 802.1X authentication, then theestablished 802.1X authentication session must be terminated and re-establishedfor the firewall filter configuration changes to take effect.

This topic includes the followingtasks:

Configuring Firewall Filters on the RADIUS Server

You can configure simple filter conditions by using the Juniper-Switching-Filterattribute in the Juniper dictionary on the RADIUS server. These filtersare sent to a switch whenever a new user is authenticated successfully.The filters are created and applied on all EX Series switches thatauthenticate users through that RADIUS server without the need foryou to configure anything on each individual switch.

This procedure describes using FreeRADIUS software toconfigure the Juniper-Switching-Filter VSA. For specific informationabout configuring your server, consult the AAA documentation includedwith your server.

To configure the Juniper-Switching-Filter attribute, enter oneor more filter terms by using the CLI for the RADIUS server. Eachfilter term consists of match conditions with a corresponding action.Enter the filter terms enclosed within quotation marks (' ') by usingthe following syntax:

More than one match condition can be included in a filter term.When multiple conditions are specified in a filter term, they mustall be fulfilled for the packet to match the filter term. For example,the following filter term requires a packet to match both the destination IP address and the destination MAC address to meetthe term criteria:

Multiple filter terms should be separated with commas—forexample:

See Juniper-Switching-Filter VSA Match Conditions and Actions for definitions of match conditions and actions.

On EX9200 switches, and in a Junos Fusion Enterprise withEX9200 as the aggregate device, the dynamic firewall filter is strictlyapplied for all IP packets. If the filter is configured to allow onlya specific destination IP address, packets with other IP addressesas the destination IP will be dropped per the filter rules. This includesany IP protocol packets, such as DHCP, IGMP and ARP packets.

To configure match conditions on the RADIUS server:

1. Verify that the Juniper dictionary is loaded on your RADIUSserver and includes the filtering attribute Juniper-Switching-Filter (attribute ID 48):
   [root@freeradius]# cd /usr/local/etc/raddb
Juniper-Switching-Filter = 'Match Source-dot1q-tag10 Action deny'

2. To deny access based on a destination IP address:

   [root@freeradius]# vi users


   For each relevant user, add the Juniper-Switching-Filter attribute:

   cd /usr/local/etc/raddb
Juniper-Switching-Filter = 'Match Destination-mac00:04:0f:fd:ac:fe, Ip-protocol 2, forwarding-class high, Action loss-priorityhigh'
   Note

   For the forwarding-class option to be applied,the forwarding class must be configured on the switch and the packetloss priority specified. If it is not configured on the switch, thisoption is ignored. You must specify both the forwarding class andthe packet loss priority.

3. Stop and restart the RADIUS process to activate the configuration.

Applyinga Locally Configured Firewall Filter from the RADIUS Server

You can apply a port firewall filter (Layer 2 firewallfilter) to user policies centrally from the RADIUS server. The RADIUSserver can then specify the firewall filters that are to be appliedto each user that requests authentication, reducing the need to configurethe same firewall filter on multiple switches. Use this method whenthe firewall filter contains a large number of conditions or you wantto use different conditions for the same filter on different switches.The firewall filters must be configured on each switch.

For more information about firewall filters, see Firewall Filters for EX Series Switches Overview.

To apply a port firewall filter centrally from the RADIUS server:

If port firewall filters are also configured locally forthe interface, then the firewall filters configured by using VSAstake precedence if they conflict with the locally configured portfirewall filters. If there is no conflict, they are merged.

1. Create the firewall filter on the local switch. See Configuring Firewall Filters (CLI Procedure) for more information on configuring a port firewall filter.
2. On the RADIUS server, open the users file to display the local user profiles of the end devices to whichyou want to apply the filter:
   [root@freeradius]#
vi users

3. Apply the filter to each user profile by adding the Filter-IDattribute with the filter name as the attribute value:

   For example, the user profile below for filter1:

   Note

   Multiple filters are not supported on a single interface.However, you can support multiple filters for multiple users thatare connected to the switch on the same interface by configuring asingle filter with policies for each of those users.

4. Stop and restart the RADIUS process to activate the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX SeriesSwitch

802.1X is the IEEE standard for port-based networkaccess control (PNAC). You use 802.1X to control network access. Onlyusers and devices providing credentials that have been verified againsta user database are allowed access to the network. You can use a RADIUSserver as the user database for 802.1X authentication, as well asfor MAC RADIUS authentication.

This example describes how to connect a RADIUS server to anEX Series switch, and configure it for 802.1X:

Requirements

This example uses the following software and hardwarecomponents:

• Junos OS Release 9.0 or later for EX Series switches

• One EX Series switch acting as an authenticator port accessentity (PAE). The ports on the authenticator PAE form a control gatethat blocks all traffic to and from supplicants until they are authenticated.

• One RADIUS authentication server that supports 802.1X.The authentication server acts as the backend database and containscredential information for hosts (supplicants) that have permissionto connect to the network.

Before you connect the server to the switch,be sure you have:

• Performed basic bridging and VLAN configuration on theswitch. See the documentation that describes setting up basic bridgingand a VLAN for your switch. If you are using a switch that supportsthe Enhanced Layer 2 Software (ELS) configuration style, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch with ELS Support . For all other switches,see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.

  Note

  For more about ELS, see Using the Enhanced Layer 2 Software CLI.

• Configured users on the RADIUS authentication server.

Overview and Topology

The EX Series switch acts as an authenticator PAE. It blocksall traffic and acts as a control gate until the supplicant (client)is authenticated by the server. All other users and devices are deniedaccess.

Figure 1 shows one EX4200 switchthat is connected to the devices listed in Table 2.

Table 2: Components of the Topology

In this example, connect the RADIUS server to access port ge-0/0/10on the EX4200 switch. The switch acts as the authenticator and forwardscredentials from the supplicant to the user database on the RADIUSserver. You must configure connectivity between the EX4200 and theRADIUS server by specifying the address of the server and configuringthe secret password. This information is configured in an access profileon the switch.

For more information about authentication, authorization,and accounting (AAA) services, see the Junos OS System Basics Configuration Guide.

Configuration

CLI Quick Configuration

To quickly connect the RADIUS server to theswitch, copy the following commands and paste them into the switchterminal window:

Step-by-Step Procedure

1. Define the address of the servers, and configure the secretpassword. The secret password on the switch must match the secretpassword on the server:
   [edit]
user@switch# set access radius-server 10.0.0.200secret juniper
2. Configure the authentication order, making radius the first method of authentication:
   [edit]
user@switch# set accessprofile profile1 radius authentication-server [10.0.0.100 10.0.0.200]

Results

Display the results of the configuration:

Verification

To confirm that the configuration is workingproperly, perform these tasks:

Verify That the Switch and RADIUS Server Are Properly Connected

Purpose

Verify that the RADIUS server is connected to the switchon the specified port.

Action

Ping the RADIUS server to verify the connection betweenthe switch and the server:

Meaning

ICMP echo request packets are sent from the switchto the target server at 10.0.0.100 to test whether the server is reachableacross the IP network. ICMP echo responses are being returned fromthe server, verifying that the switch and the server are connected.

Understanding Dynamic Filters Based on RADIUS Attributes

You can use RADIUS server attributes to implement port firewallfilters on a RADIUS authentication server. These filters can be dynamicallyapplied to supplicants that request authentication through that server.RADIUS server attributes are clear-text fields encapsulated in Access-Acceptmessages sent from the authentication server to the switch when asupplicant connected to the switch is successfully authenticated.The switch, acting as the authenticator, uses the information in theRADIUS attributes to apply the related filters to the supplicant.Dynamic filters can be applied to multiple ports on the same switch,or to multiple switches that the use same authentication server, providingcentralized access control for the network.

You can define firewall filters directly on the RADIUS serverby using the Juniper-Switching-Filter attribute, which is a RADIUSattribute specific to Juniper Networks, also known as a vendor-specificattribute (VSA). VSAs are described in RFC 2138, RemoteAuthentication Dial In User Service (RADIUS). The Juniper-Switching-FilterVSA is listed under attribute ID number 48 in the Juniper dictionaryon the RADIUS server, with the vendor ID set to the Juniper NetworksID number 2636. Using this attribute, you define filters on theauthentication server, which are applied on all switches that authenticatesupplicants through that server. This method eliminates the need toconfigure the same filters on multiple switches.

Alternatively, you can apply a port firewall filter to multipleports on the same switch by using the Filter-ID attribute, which isRADIUS attribute ID number 11. To use the Filter-ID attribute,you must first configure a filter on the switch, and then add thefilter name to user policies on the RADIUS server as the value ofthe Filter-ID attribute. When a supplicant defined in one of thosepolicies is authenticated by the RADIUS server, the filter is appliedto the switch port that has been authenticated for the supplicant.Use this method when the firewall filter has complex conditions, orif you want to use different conditions for the same filter on differentswitches. The filter named in the Filter-ID attribute must be configuredlocally on the switch at the [VLAN.

Results

Check the results of the configuration:

Verification

To confirm that the configuration and the fallbackoptions are working correctly, perform this task:

Verifying the Configuration of the 802.1X Interface

Purpose

Verify that the 802.1X interface is configured withthe desired options.

Action