HI all -

Quick questions that will be easy for all you experts. I am using Juniper Steel-belted Radius for Remote Access Authenticaion off of our Concentrator right now. I want to start deploying 802.1x for vlan assignment and login authentication for the network boxes.

I have been looking around here, and have deducted that Radius has difficulties when you have the same username in multiple groups. Currently, the domain group VPNUSERS is allowing remote access, and that pretty much encompasses all the 1000+ employess for the company. For login authentication, I added a check list for the VPNUSERS (to ensure not everyone can login into my switches) group on the radius server to only allow requests from that of the concentrator, but if I create a new AD group (NETADMINS), put the users that will be allowed to login to the individual network devices, add that group as a user on the radius box, I am receiving an authentication failed error.

Is this because those usernames are currently being denied because those usernames are also a part of the VPNUSERS group, which is failing authentication because the attributes don't match according to the check list? Is there anyway around this without having multiple radius server groups on the network. Thanks for the help.