Microsoft NPS 2008R2 config to avoid bad usernames flooding NRPS

Download as PDFDownload as PDF

Contents

Network and technology service docs
Phil Mayers, Imperial College London

NPS doesn't offer any conditional/branching features, or a way to bind a client/group to a set of policies, therefore you have to be careful to make sure your policies match appropriately.

RADIUS clients

Home service providers: you should create client entries for each NRPS under the "RADIUS Clients" section; be sure to set their "Friendly Name" to NRPS1, NRPS2, NRPS3 etc. so you can match them below.

Visited service providers: you should create group called "NRPS" in the "Remote RADIUS Server Groups" section. Add the 3 NRPS IPs and set their secrets.

Connection Policies

Home sites should accept everything from the NRPS - that is, only match on the "Client-Friendly-Name" that you've given to the NRPSes.

You should then create the following connection policies, in this order:

1. Home service providers - for authentication of your roaming users

Client-Friendly-Name matches ^NRPS.*
[Hint - n.b. NO extra conditions here - accept all from NRPS]
Authenticate locally

2. Visited and Home service providers - for authentication of your users on your own eduroam service

User-Name matches ^([^@]*)@yourrealm\.ac\.uk$
[Hint - plus matches required to limit to eduroam (see 'limiting matches to eduroam' below)]
Authenticate locally

3. Visited service providers - for authentication of visitors

User-Name matches ^([^@]*)@[-a-zA-Z0-9]+(\.[-a-z-A-Z0-9]+)+$
[Hint - plus matches required to limit to eduroam (see 'limiting matches to eduroam' below)]
Forward to NRPS   [Hint - your NRPS group]

Limiting matches to eduroam

In the case of a Visited site, you may be using your NPS server for other things (e.g. VPN, non-eduroam Wi-Fi). In that case, you will need to make your Visited site policies (2 & 3, above) only apply for eduroam authentication.

A common way to do this if your wireless platform sends attributes of the form:

Called-Station-Id = 00-11-22-33-44-55:eduroam

...is to add the following matches to policies 2 & 3:

Called-Station-Id matches .+:eduroam$

If your NPS server is dedicated to eduroam use, you can omit this match.

HOWEVER: it is important that you *NOT* add a 4th policy saying:

4. No conditions
    Authenticate locally

If you do this, your users will be able to configure eduroam at home using "username" when they should be using "username@yourrealm.ac.uk", and it will fail for them when they roam to another eduroam site.

eduroam
configuration
bad usernames
avoid
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo