On 01/12/10 15:58, Steven Carr wrote:
> On 01/12/2010 15:53, Phil Mayers wrote:
>> At the present time, we do not believe NPS can be made to transmit the
>> Operator-Name attribute.
>
> Just tacking on the back of this post, apologies. Does anyone have any
> comprehensive instructions for configuring NPS on 2008 R2. I did have a
> go with the ones found on the American Eduroam site, but it just didn't
The only work I've done with NPS was confirming that it suffers these
problems with Operator-Name; on the back of that experience, I would
strongly urge you to consider an alternative radius server. My
recommendation would be FreeRadius.
Having said that, I think you want something like the following:
1. Open Server Manager and drill down to "NPS (local)"
2. Under "Radius Clients and Servers", "Remote RADIUS server groups",
add a new group called "NRPS"; specify the NRPS IPs and the secrets your
have paired with them
3. Under "Policies", "Connection Request Policies", add 2 policies:
* One matching username "@sunderland.ac.uk" authenticating locally
* One matching username "@", forwarding auth & accounting to the NRPS
That is the most basic, bare-bones. There is considerably more to do -
you must for example prevent eduroam loops, and if you are using NPS for
your local wireless, you'll need to bracket these policies with
additional "condition" statements.
> seem to work. We also have an extra requirement in that we want to block
> our own sunderland.ac.uk users from connecting to eduroam whilst on
> campus wirelss, so they have to use our NAC solution and not just bypass
> it by using eduroam.
If you do that means your users won't be able to setup eduroam and test
it before they leave, which means you are passing the support overhead
of misconfigured clients to the visited site.
In addition, you *must* ensure that you have a working config to
authenticate @sunderland.ac.uk usernames coming from the NRPS - if you
do not, you risk looping them back out to the NRPS, and having your ORPS
banned.
Still, if you must do that, you can do it by adding more conditions to
the CRP (Connection Request Policy) so that @sunderland.ac.uk is only
permitted from a source IP(s) of the NRPS. All of this is very clunky
and tedious under NPS, which is why I strongly advise using something else.
|