cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
0
Helpful
3
Replies

Single win2008R2 NPS server to authenticate both VPN users and Device admins

nstamoul0
Level 1
Level 1

Hallo everybody,

I seem to have a pretty simple problem to solve but I can't get my head arround it.

I have succesfully set up a windows 2008 box as a Radius server and use it to authenticate VPN users against ta AD database.

I have also set up a similar policy that permits authentication for management purposes to all my networking devices (routers,switches and the ASA).

Both policies work fine.

Of course I don't want every VPN user to have administrative access to the ASA and every other device on my network.

How can I discriminate between the 2 groups (VPN users and Network administrators)

3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

You can create an authorization policy based on the Service-Type attribute that is sent for each of these access-requests. For VPN the Service-Type=Outbound , for dot1x Service-Type=Framed. For administration Service-Type=Login. I hope this helps.

Thanks,

Tarik Admani
*Please rate helpful posts*

Would this be for the "Connection Request Policy" or for the "Network Connection Policy"

You will have to consult the NPS documentation for confirmation but I think it should be in the "network connection policy" so when you meet this Service-Type Attribute you can trigger the proper authorization response.

thanks,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: