RE: check group membership in Connection Request Policy
- From: rt-seb <rtseb@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 23 Jan 2007 02:04:00 -0800
Hello,
"Robert Holzwarth" wrote:
There is no special need for CRP, IAS simply does only apply CRPs, becauseNote: there are two different policies: CRP and RAS.
IAS is not able to do authentication, since digital certificates are used on
the NAS.
It works like this:
- a request arrives at the IAS
- the request is matched against a CRP (based on certain rules a CRP
determines whether this request has to be forwarded to another RADIUS
server or if it has to be terminated at the current IAS)
=> as you want to terminate the request you have to select
"Authenticate request on this server"
- finally the IAS tries to apply a RAS policy to this request
=> you need to have a RAS policy that matches to your requests
(e.g. certificate based authentication coming from VPN)
If the user is member of the specific group, the access request should beCurrently, the purpose of this extension is to perform MAC authentication
accepted and a class 25 attribute "OU=some string" is returned to the NAS.
Yes, I am intereseted in your custom IAS extension. What functionality does
it provide?
for clients that do not speak 802.1x (e.g. printers). This is support by Cisco
("MAC authentication bypass") and HP for example.
The extension determines if it is a MAC authentication. If so the client
will be
authenticated using a MAC address database (either a file or Active
Directory/LDAP). If the MAC is known and valid then the extension signals
this to the IAS. Optionally the extension sets attributes for a connection
(e.g. put a device in a special VLAN).
In principle it would also be possible to modify the IAS extension to do
other things, like supporting other authentication methods or sending custom
strings to access devices (switches, APs, VPN gateways ...).
"rt-seb" wrote:.
Hello Robert,
"Robert Holzwarth" wrote:
We would like to check group membership of webvpn users, who authenticate
against a Cisco VPN3000 with digital certificates.
Remote Access Policies are not applied at all, if "Accept users wihout
validating credentials" is enabled in the Connection Request Policy, as far
as I understand IAS.
Is developing our own authorization extension dll the only solution?
You need to provide more information. Why do you need to use
a CRP? Why not use RAS?
Are the users member of a certain AD groups? What should happen
after the IAS has determined group membership?
However, if you select "Accept users without .." the RAS policies are
indeed not applied.
Btw, I've developed a custom IAS extension. Maybe this is something
you are interested in.
Bye!
Sebastian
- Follow-Ups:
- RE: check group membership in Connection Request Policy
- From: Robert Holzwarth
- RE: check group membership in Connection Request Policy
- Prev by Date: Re: "any user" logon?
- Next by Date: Guest Access using IAS/AD/ISA/WPA
- Previous by thread: MAC-based authentication
- Next by thread: RE: check group membership in Connection Request Policy
- Index(es):
Relevant Pages
|
