06-13-2020 07:33 AM
Thank you all for your wonderful support
ASA has couple of tunnel-groups as below
(1) Admin VPN - full tunnel
(2) Admin-Split - Split Tunnel
(3) VPN for all associates
configured aaa-server group with radius protocol
I see that Cisco ASA is sending attribute 146(tunnel-group name) to Radius server while requesting for authentication and authorization.
is there anyway Network Policy server ( windows Radius) can consider this as another condition along with group-membership validation.
if someone has come across this kind of requirement, Please advise me.Thank you
Solved! Go to Solution.
06-14-2020 04:24 AM - edited 06-14-2020 04:29 AM
Hi,
I had a quick check (using Server 2008 R2 and 2012), I don't think is possible using NPS, as there does not appear to be an option to match on a vendor specific avp during the authentication phase. It's certainly possible using ISE.
NPS does allow you to send a vendor specific avp to the client during authorisation. Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users.
HTH
06-14-2020 04:24 AM - edited 06-14-2020 04:29 AM
Hi,
I had a quick check (using Server 2008 R2 and 2012), I don't think is possible using NPS, as there does not appear to be an option to match on a vendor specific avp during the authentication phase. It's certainly possible using ISE.
NPS does allow you to send a vendor specific avp to the client during authorisation. Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users.
HTH
06-14-2020 10:40 PM
Hi Rob,
Thank you for your time
"Potentially you could just define 1 tunnel-group and then as part of authorisation send a different group-policy, which specifies the split-tunnel, dns, address pool configuration for the 3 different types of users" -- This worked. NSP has sent an attribute ( 25- class ) which is telling ASA to provide user with group-policy.
But, the main problem, when user is part of multiple groups to get required group-policy, NPS is always validating against only first match authentication. Based on your input, It is not possible. Thank you :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide