Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3696
Views
0
Helpful
3
Replies

Anyconnect VPN-Authentication multiple profiles via Single RADIUS/Windows NPS

r.p.leadbetter
Level 1
Level 1

‎05-29-2015 03:05 AM - edited ‎02-21-2020 08:15 PM

Hi All

Pretty sure this is a stupid question and will be answered immediately but as I am not an experience engineer I need some guidance on this.

I have an ASA that has users connecting via the AnyConnect client, everything works fine either using local authentication or RADIUS.

I have a Windows Server 2012 running NPS and the RADIUS auth works fine.

My problem is that I now want to have multiple AC profiles with different levels of access that are all authed through the NPS Server. So for example I would have the Domain Admins AD group be allowed to access Admins VPN Profile giving access to all subnets, but the Domain Users AD group would only have access to the Client VPN profile, giving them access to client subnets only..

Any pointers on this would be greatly appreciated

Thanks
Richard

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎05-29-2015 03:46 AM

There are multiple ways to achieve that. IMO, the easiest is the following (if there are only a limited amount of different profiles):

  1. Configure multiple access-lists for your differentiated access. These ACLs are not assigned to an interface, they are only used for VPN. Mine are always named "VPN-FILTER-USERS", "VPN-FILTER-ADMINS", "VPN-FILTER-SALES" and so on.
  2. Configure multiple group-policies, one for each user-group. Configure all parameters as needed and add the "vpn-filter value XXX" command with the name of the ACL.
  3. On the NPS, duplicate your VPN-policies as often as needed and add a condition that matches on the user-group. Be aware that these policies are compares top-down. If a user is member of domain-admins and domain-users, the policy for domain-admins need to be above the rule for domain-users.
  4. In each NPS-policy add the radius-attribure "class" (which is #25) with the name of the group-policy on the ASA.

Thats it.

0 Helpful

r.p.leadbetter
Level 1
Level 1
In response to Karsten Iwen

‎05-29-2015 04:01 AM

Hi Karsten

That looks like a great way to do it. I will have a crack over the weekend.

Thank you very much for your advice.

Richard

0 Helpful

jensmarklund
Level 1
Level 1
In response to Karsten Iwen

‎05-19-2016 01:55 AM

On the NPS, duplicate your VPN-policies as often as needed and add a condition that matches on the user-group. Be aware that these policies are compares top-down. If a user is member of domain-admins and domain-users, the policy for domain-admins need to be above the rule for domain-users.

So you can't add a user to multiple groups and expect getting multiple access-list assigned to the VPN connection?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents