Bulk create NPS policies
Bulk create NPS policies.
December 12, 2016
Q. How can I bulk create NPS policies?
A. I recently had to create a fairly complicated set of policies on NPS that enabled access to specific vlans based on a users membership of different different groups, one for the VLAN they could to connect to and one their location. Therefore a user had to be in a specific location group, the request had to come from that RADIUS client in that location and they needed to be in specific VLAN group which was the VLAN returned. Consider if I had 20 possible VLANs and 10 locations that would result in 200 separate policies (you have to multiply them). Manually creating that would be terrible so I looked for an automated solution.
There are no command line interfaces to create NPS rules which leaves one option. It is possible to export out the configuration to XML and also to import the configuration from XML. Therefore the solution is:
Export out the NPS configuration to XML
Export-NpsConfiguration -Path NPSConfig.xmlModify the XML with the rules required
Import in the updated XML
Import-NpsConfiguration -Path NPSConfig.xml
There are two key elements for each policy. The first defines the policy itself, the second defines the conditions and it uses the GUIDs of users/groups and not the names which means you will require the GUIDs (use Get-ADUser and look at the SID property).
{00000000-0000-0000-0000-000000000000}{00000000-0000-0000-0000-000000000000}1190000000000000000000000000000001a000000000000000000000000000000501629113010{00000000-0000-0000-0000-000000000000}Wireless Authentication VLAN291 - LondonLabUSERNTGROUPS("S-1-5-21-3834142513-3770161285-3225119399-3113")USERNTGROUPS("S-1-5-21-3834142513-3770161285-3225119399-3110")MATCH("NAS-Identifier=LondonLab")2
The easiest way to work out the XML you need is to manually create a policy in the Network Policy Server MMC snap-in before exporting then duplicate that XML in the file with you changes. What is the best way to duplicate that XML? With PowerShell which I cover in the next FAQ. To help in my script when I create the various groups for each location and VLAN I actually saved them to a hash table with the SID which I could then read back into my script to update the XML to get the required SIDs. Below is my script to create the VLAN and location groups if it helps in your environment.
$LABs = @(("LABATL","Atlanta"),("LABBOS","Boston"),("LABCHI","Chicago"),("LABDAL","Dallas"),("LABDET","Detroit"),("LABIRV","Irvine"),("LABLA","Los Angeles"),("LABMPLS","Minneapolis"),("LABNY","New York"),("LABPHL","Philadelphia"),("LABDC","Washington DC"),("LABSIVY","Silicon Valley"),("LABSTL","St. Louis"),("LABTOR","Toronto"))$ParentVLANGRPOU = "OU=VLANGroups,OU=VLANAccess,DC=oneLAB,DC=net"$ParentLABGRPOU = "OU=LABGroups,OU=VLANAccess,DC=oneLAB,DC=net"#hash table for the VLANs and SIDs$vlangrouphash = @{}#for each VALN from 2 to 255foreach($vlannum in 2..255){ $VLANName = 'VLAN' + $vlannum + 'GRP' Write-Output $VLANName $VLANGroup = New-ADGroup -Name $VLANName -GroupCategory Security -GroupScope Global ` -DisplayName $VLANName -Path $ParentVLANGRPOU ` -Description "Group for users of VLAN $vlannum" -PassThru $vlangrouphash.Add($VLANName,$VLANGroup.SID)}#Save to file$vlangrouphash |Export-Clixml -Path vlans.xml#to read in$vlangrouphash = Import-Clixml -Path vlans.xml#hash table for the LABs and SIDs$LABgrouphash = @{}#for each LABforeach($LAB in $LABs){ $LABName = $LAB[0] + 'VLGRP' Write-Output $LABName $LABGroup = New-ADGroup -Name $LABName -GroupCategory Security -GroupScope Global ` -DisplayName $LABName -Path $ParentLABGRPOU ` -Description "Group for users of LAB $($LAB[0])" -PassThru $LABgrouphash.Add($LABName,$LABGroup.SID)}#Save to file$LABgrouphash |Export-Clixml -Path LABs.xml#to read in$LABgrouphash = Import-Clixml -Path LABs.xml
About the Author
You May Also Like