Hi ,

You need to add the Windows_Group condition in the network policies of NPS. See attachment

No need to have two NPS.

Regards,

~JG

Do rate helpful posts

That does not resolve the issue. You cannot have a policy that points to 2 different AD Groups because the Device managment authentication and VPN authencation use the same NPS server, which would then give the VPN authenticated users access to the device managment.

You need to setup TWO policies with the Condition of Windows group. NPS will check all the policies and access will be granted as per the policy it matched. If none matched, access would be denied.

Eg,

If requested comes from  > Admin Device (Router & Switches) and user does NOT belong to Admin AD group -----> Deny Access

If requested comes from > VPN server and User have successfully authenticated -----> Permit Access.

With this, only Specific AD group will be able to login to Admin Devices and all AD user's would get VPN access.

Hope that helps,

Regards,

-JG

Do rate helpful posts

I have tried this and still does not have the desired results. The Policy setup with the VPN users group allows them to authenticate and manage the Cisco ASA. Please test your configuration and let me know your results. Thanks.

IT serverices. I am not at home but as soon as i get there ill post the answer. I spent about 3 hours trying to get it work. FINALLY.

Off the top of my head you have to set up a value in condistions. Like Login and a service-type. and results on VPN will be service-type-outbound. that is the best i can remember off the top off my head.

Great. Thanks for the response Rodney, I look forward to seeing the configuration. I beleive I tried the Service-Type configuration but didn't get it to work. I wonder if I have the wrong combination.

Part 1 of 2

This is the first device policy and it is for the management of the network devices. I am leaving work now and will provide part 2 of 2

NPS -> Policies -> network Policies

Policy Name Devices

Overview

policy enabled = True

Grant access -

blah blah blah

Ignore dialin stuff

Conditions

User Groups = NetworkAdmins

Constraints

Unencrypted auth (PAP,SPAP)

Settings

Standard

class shell=Priv-15

Service-Type Login

Sent from Cisco Technical Support iPad App

Ok I have followed exactly this configuration but the VPN users still have access to administrative functions on the ASA. This does not happen on a cisco switch though.      

wont be as pretty

under conditions i used two things.

usergroup and Called station id

usergroup was my vpn group

for called station id use the external ip address (i have only tested this with using my ipad so i use ip address this may need to be the hostname)

last page using service type select outbound this stops them from accessing the devices for managment

***************CHANGEFROM****************

i put devices first in my list and vpn auth second

***************CHANGETO****************

I changed the list to put VPN auth on top this way i can push them to a VPN profile. With it the other way around the it was hitting the device policy first fro users that are in both VPN_USERS and NetworkAdmins

Sent from Cisco Technical Support iPad App

if you are still having issues we can set up a webex and you can look at my configurations

Sent from Cisco Technical Support iPad App

Ok last post for the night. IT Services I have loads of screen shots. I will post the link to the setup stuff tomorrow or friday. But if you are having issues from now until then please dont hesitate to ask. Ill be more then happy to let yo take a look around and even test it yourself. I have two accounts one with device admin rights and one without and you can VPN in and test for yourself if you are still having issues.

Thanks for your help your last suggestion did the trick. Thanks for your help.