Solved: VPN concentrator to pass user group information to IAS server?

watcher60 · ‎11-10-2006

All,

get the feeling the answer will be no, but we have replaced our MS RAS server with a VPN concentrator 3030 using a IAS server to do the authentication on a Win2k3 domain. The issue we are having is that some people are sharing the pcf files with people from other groups. As the IAS just validates the user password, and checks they are in a VPN allowed group which is then allowing them more access than they should, is there anyway for the concentrator to pass the group information to a IAS server to be checked as well? If not does anyone know of a way to check people's ID using the remote access VPN are in the correct group that they are connecting with?

sorry I think I've made the above as clear as mud!

campbellian · ‎11-10-2006

Don't know about your question, but you can cause the IAS server to assign a group to a user by adding the class attribute to a specific IAS security policy. Add class = OU=groupname; (don't omit semicolon)to the RADIUS attributes for IAS policy against which a user will auth, and this will be passed back to the 3030, which will assign them to the appropriate group.

Hope this helps.

View solution in original post

campbellian · ‎11-10-2006

Don't know about your question, but you can cause the IAS server to assign a group to a user by adding the class attribute to a specific IAS security policy. Add class = OU=groupname; (don't omit semicolon)to the RADIUS attributes for IAS policy against which a user will auth, and this will be passed back to the 3030, which will assign them to the appropriate group.

Hope this helps.