Arista EOS Central - MS NPS not working

Posted on December 9, 2016 9:48 pm

| Asked by syavash azarmi

| 1908 views

« Back to Previous Page

RESOLVED

▲

▼

♥ 0

I have been struggling to get arista auth/autorizaiton on MS NPS and wasnt successful.

i am using the following VSAs:

ATTRIBUTE / Arista-AVPair / 1 / string
ATTRIBUTE / Arista-User-Priv-Level / 2 / integer
ATTRIBUTE / Arista-User-Role / 3 / string
ATTRIBUTE / Arista-CVP-Role / 4 / string

and

• Arista Vendor number: 30065
• Attribute: Arista-AVPair 1 string
• “shell:priv-lvl=<privilege level of a user, 0-15>”
• “shell:roles=<list of roles for a user>”

but cant find the config that works.

any comment or help would be much appreciated.

thanks

▲

▼

✔

Posted by Manuel Lai

Answered on December 14, 2016 3:59 pm

Hi Syavash
There are a couple of things to check when configuring Microsoft NPS to authenticate Arista devices:

If you want to use Active Directory as a user database:
1)The user should have network permissions on Active Directory:
AD Users and Computers/User Properties/Dial-in/Allow Access
2)When using CHAP authentication, Password encryption must be activated:
AD Users and Computers/User Properties/Account/Account Options/Store password using reversible encryption
3)NPS must be registered in AD:
NPS/right click on NPS(Local)/Register Server in Active Directory

Create a New Radius Client (right click on Radius Client/New) with particular attention to the Friendly Name (Used later on policy conditions) and the Shared Secret (configured on the Arista device)

Policies
While creating the NPS Policies (Right click on Network Policies/New) make sure you select the right conditions, i.e:
Select the user group on Windows Groups.
Type the Client Friendly Name as configured before.
On Constraints panel, select protocols (i.e. CHAP,PAP/SPAP)
Standard Radius Attributes, Service Type= NAS Prompt
On Settings panel/Add/Vendor:Custom/Vendor Specific/Add/Enter Vendor Code:30065 and click “Yes it conforms”
Click on Configure Attributes/Attribute format:String Attribute Value:shell:cvp-roles=network-admin (that’s for CVP)

I hope this will help you. In case you are still having issues, please contact support@arista.com
Regards

▲

▼

✔

Posted by Saul Suarez

Answered on October 5, 2017 4:12 pm

This works with one addition on Windows Server 2016 Network Policy Services, CVP version 2017.2.0

* make sure to set Authentication and Authorization settings on CVP portal to RADIUS

« Back to Previous Page

Post your Answer

You must be logged in to post an answer.

Question
[RESOLVED] snmp v3 config asked 1 day ago by Mitchel Martin Timm updated 3 hours ago by Edmund
VxLAN VNI Interface Mapping asked 5 days ago by Steeve Beauvais updated 4 days ago by Wei
[RESOLVED] Must I use all the same version of EOS for switches and CVX? asked 1 week ago by Jaecheol Um updated 1 week ago by Diogo Serrano Mendes
REMOVE A SWITCH FROM CVP? asked 1 week ago by Open3S Tech updated 1 week ago by Wei
Problem with CVX EVPN and other vendor asked 2 weeks ago by Stanislav Tretiakov ♥ 1

MS NPS not working

Post your Answer

Follow Arista EOS Central