Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
0
Helpful
4
Replies

understading athenticationa nd authorization in FMC remote access vpn

baselzind
Level 6
Level 6

‎02-24-2020 02:49 AM

just to be clear with the authentication and authorization in FMC RAVPN , if i set radius for authentication and AD for authorization would that mean that users will be first authenticated using radius database then the authorization will check i these users exist in AD or not and based on that they will be able to connect? like user"John" have to be on both

radius and AD to be able to connect to RAVPN?

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎02-24-2020 04:05 AM

Hi,
You wouldn't set AD to authorise the user, only RADIUS can do authorisation. If your RADIUS server is integrated into AD you would normally set Authentication, Authorisation and Accounting to be the RADIUS server. It would then proxy the authentication request to AD.

HTH
0 Helpful

baselzind
Level 6
Level 6
In response to Rob Ingram

‎02-26-2020 05:50 AM

why not? can someone explain please the difference between authentication and authorisation?
0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎02-26-2020 06:00 AM

Authorization is used to determine what a user can and cannot do, authentication identifies the user prior to be allowed access to the network. AD doesn't allow you to create the required authorisation rules, a RADIUS server does.
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎02-26-2020 11:12 AM

Hi,

  

      For VPN, authentication means the user provides some sort of credentials to the VPN gateway in order to establish the VPN tunnel. For VPN, authorization means, once the VPN tunnel has been established, how is the user allowed to build the tunnel (using SSL or IPsec, timeouts, etc) and what is the user allowed to do in the tunnel (split-tunnelling policy, VPN filter, etc). Because RADIUS, by design, does authentication and authorization in one process, you can't do authentication via RADIUS and authorization via AD/LDAP or vice-versa. But you can do both authentication and authorization via either RADIUS or AD/LDAP (you would need to use FlexConfig for this); you can get complex, but for no real reason/benefit in general, and do both via RADIUS, but then have the RADIUS server integrated with LDAP/AD.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents