Good evening!
I'm getting what I consider inconsistent behaviour from NPS regarding the application of Attribute Manipulation Rules.
We're using NPS to provide authentication in our 802.1X wireless system, and need to be able to identify school owned machines distinctly from non-school owned machines.
My aim was to be able to identify a range of MAC addresses easily, without having to reference them in the Network Policies themselves. I'd thought to use conditions on the Connection Request Policy to specify those address ranges, and then add a suffix to the Calling Station ID attribute - something like ':SO' to denote School Owned - using the Attribute Manipulation rules. For testing purposes I've applied the the AMR to all incoming connections. The AMR is configured as below:
FIND: (^.*)
Replace With: $1:SO
What I'm finding is that it only seems to apply to denied connections:
PacketTypeCalling_Station_IdAccess-AcceptNULL
Access-Request04-E5-36-A9-99-A1
Access-RejectNULL
Access-Request38-AA-3C-DF-26-7C:SO
Access-RejectNULL
Access-Request38-AA-3C-DF-26-7C:SO
Access-AcceptNULL
Access-Request04-E5-36-C2-61-09
Access-RejectNULL
Access-RequestC4-D9-87-1A-EE-C4:SO
Access-RejectNULL
Access-RequestC4-D9-87-1A-F8-15:SO
Access-RejectNULL
Access-Request38-AA-3C-DF-26-7C:SO
Has anyone got any ideas as to why this would be occurring? Any pointers at all would be appreciated!
Thanks,
TG.