07-17-2012 05:41 PM - edited 03-10-2019 07:18 PM
Hallo everybody,
I seem to have a pretty simple problem to solve but I can't get my head arround it.
I have succesfully set up a windows 2008 box as a Radius server and use it to authenticate VPN users against ta AD database.
I have also set up a similar policy that permits authentication for management purposes to all my networking devices (routers,switches and the ASA).
Both policies work fine.
Of course I don't want every VPN user to have administrative access to the ASA and every other device on my network.
How can I discriminate between the 2 groups (VPN users and Network administrators)
07-17-2012 07:24 PM
Hi,
You can create an authorization policy based on the Service-Type attribute that is sent for each of these access-requests. For VPN the Service-Type=Outbound , for dot1x Service-Type=Framed. For administration Service-Type=Login. I hope this helps.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-04-2012 10:12 AM
Would this be for the "Connection Request Policy" or for the "Network Connection Policy"
09-04-2012 10:41 AM
You will have to consult the NPS documentation for confirmation but I think it should be in the "network connection policy" so when you meet this Service-Type Attribute you can trigger the proper authorization response.
thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide