Re: RADIUS / group policy and AD

smperry · ‎08-10-2010

Here is an overview of what I am looking to implement:

I have 3 different groups of users: "admins", "staff" and "partners".

These groups of users should each have a different level of access to internal network resources.

i.e. admins have access to all networks; staff have access to the NAS, terminal servers, printers and office computers; and partners have access to the internal web server.

This is the hardware and software I have to work with.

ASA 5510 running ASA 8.3(1)

Win2K8R2 AD DC

Win2K8R2 NPS

I can easily configure a policy on the NPS RADIUS server to authenticate users belonging to a particular AD group and then configure the ASA to use that in the connection profile. The problem is that this appears to work for one AD group only. Is there a way to configure this such that we can have a connection profile which requires a specific AD group membership and then assign group policy accordingly?

Any suggestions would be greatly appreciated.

Cheers.

Marcin Latosiewicz · ‎08-12-2010

I'm sorry I'm not expert on IAS/Radius/Windows.

ACS config allows you to have downloadbale ACLs per group/user.

If you insist on using AD/LDAP natively there can be a certain degree of attribute mapping but in theory it could work.

Why exactly do we have the limitaion of having only one AD group available (one-AD-per-project-sort-of limitation?)

Marcin

smperry · ‎08-12-2010

I do have multiple AD groups configured.

After some more looking over the configuration I think there may be a way to do it.

It looks like I can configure specific network policies which apply to each AD group on the NPS.

Then have the network policy return the RADIUS "class" attribute with the particular group policy needed for that group.

Does that sound workable?

Marcin Latosiewicz · ‎08-13-2010

Purely from RADIUS point of view yes.

LDAP/AD, with a bit of attribute mapping should be workable.

Marcin