While we're talking about NPS and regex, just one note to be aware of. When you make a connection policy, and your matching multiple IP addresses, you might be tempted to use the following terminology.
10.1.2.1|10.1.2.2|10.1.2.3 However, be aware that it uses REGEX in the connection policies as well. So 10.1.221 would also match (so any address in 10.1.221 would match). You have to escape special characters to use them as normal characters. (\ before each special character) So the above string would be: 10\.1\.2\.1|10\.1\.2\.2|10\.1\.2\.3 I figured I would share, because I found this out the hardway this week. (Addresses matching policies they shouldn't match) I know you guys more familiar with RegEx may have know it, and it's not like it didn't say it on the connection policy page, but it never actually "Clicked" that it was using regex till I had to find out why I had a device not working as expected. Mike On Fri, Oct 21, 2011 at 7:52 AM, Craig Pluchinsky <[email protected]> wrote: > If you don't want to authenticate any users in the NPSDOMAIN then you could > do a "rewrite" in your connection request policy. Replace username with > OTHERDOMAIN\username. NPS can use basic regex to find and replace. This can > be found in Connection Request Policies, YOUR POLICY, Settings then > Attribute. > > We did what you are wanting to do with a rewrite rule but then decided down > the road it was easier to just make the radius server a member of the domain > we are trying to authenticate against. > > > ------------------------------**- > Craig Pluchinsky > IT Services > Indiana University of Pennsylvania > 724-357-3327 > > > > On Thu, 20 Oct 2011, John York wrote: > > I'm trying to change the default domain that NPS uses to authenticate >> users. We need to authenticate wireless users through NPS that have >> accounts in domain different than the NPS is in, but the server has a valid >> trust with the other domain. We could install an NPS in the other domain, >> and use a RADIUS proxy to the remote server. However, it would be simpler >> if we could just get NPS to change its default domain and authenticate >> through the trust instead. There's lots of info on the web that this used >> to work in IAS. >> >> I'm trying to use the registry key cited by the following links, but it >> isn't working for me. I wonder if something has changed in 2008 or R2 >> http://blogs.technet.com/b/**nap/archive/2006/09/19/457603.**aspx<http://blogs.technet.com/b/nap/archive/2006/09/19/457603.aspx> >> http://technet.microsoft.com/**en-us/library/bb742394.aspx<http://technet.microsoft.com/en-us/library/bb742394.aspx> >> http://technet.microsoft.com/**en-us/library/cc958034.aspx<http://technet.microsoft.com/en-us/library/cc958034.aspx> >> The key is >> HKEY_LOCAL_MACHINE\SYSTEM\**CurrentControlSet\Services\**RasMan >> \PPP\ControlProtocols\BuiltIn\**DefaultDomain REG_SZ >> >> When I watch the NPS server log, the User Name comes across as testuser >> (no domain), but then NPS generates the fqdn user name NPSDOMAIN\testuser, >> instead of DOMAININREGKEY\testuser. I've both restarted the NPS service and >> rebooted the server. >> >> Thanks >> John >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at >> http://www.educause.edu/**groups/<http://www.educause.edu/groups/> >> . >> >> > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > http://www.educause.edu/**groups/<http://www.educause.edu/groups/> > . > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
