Re: IAS Radius - more than 1 policy possible?
- From: "Gonzo" <apollo13@xxxxxxxxxxxxxx>
- Date: Tue, 17 Jul 2007 11:05:17 +0100
I have added the policy to our IAS server which already has a policy to authenticate our wireless users on it. I added the Cisco Concentrator VPN device to the Radius clients then added the custom policy as "NAS-IP-Address" and "Windows-Groups"
I tested it and it will only work if I move this policy to number one. If it is number 2 (behind the wireless policy) the VPN users can't logon as the VPN users try to use the wireless policy. Worried that the Wireless users won't authenticate if they are at number 2.
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message news:usizli8xHHA.3464@xxxxxxxxxxxxxxxxxxxxxxx
"Gonzo" <apollo13@xxxxxxxxxxxxxx> wrote in message news:9C23A358-CDDF-4537-B2D8-E7892AE50E71@xxxxxxxxxxxxxxxxSo the NAS-IP-Address and Client-IP-Address options can only be used against other IAS servers.
I didn't say that. They should work fine with any RADIUS/IAS but
these options aren't available (or some of them but I am not looking
right now) in SIMPLE RRAS Policies without IAS.
I want the policy to only accept users from our cisco VPN device and if they are in an AD group?
Sure. You can set a policy that requires BOTH, then it picks the profile
for THOSE users.
So if you have a variaty of NAS-network devices then you can MATCH
different policies to different devices or even different types of access
such as IP address of NAS, (and L2TP vs PPTP or PPP dial etc)
Just get all your policies in a sensible order since they are checked TOP
down.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message news:utHs7snxHHA.1188@xxxxxxxxxxxxxxxxxxxxxxx
"Gonzo" <andrewwhite@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:%23QzDTMlxHHA.4800@xxxxxxxxxxxxxxxxxxxxxxxIs it possible to have more than one policy and associate it with
another RADIUS client. For example have a policy than only accepts authentication for wireless users and from the wireless device only (radius client) and another policy that will only be used to authenticate VPN users from the VPN device?
Yes, and the first one in the IAS (or RRAS) Policy list (top down) that
matches will be used for any particular connection.
I have seen the options NAS-IP-Address and Client-IP-Address, can these options be used to tell a RADIUS client what policy to use?
Yes, but I wouldn't say it this way -- it can be used for the RADIUS server (e.g.,
IAS) to mathc the policy which will then select the PROFILE and this will be
given to the RADIUS Client to control the connection during the session.
RADIUS Clients don't see the "Policy" only portions of the PROFILE.
At he moment I have two IAS servers one for VPN and one for wireless access so I can associate the radius client with the policy.
Not sure what you mean here.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: IAS Radius - more than 1 policy possible?
- From: Herb Martin
- Re: IAS Radius - more than 1 policy possible?
- References:
- IAS Radius - more than 1 policy possible?
- From: Gonzo
- Re: IAS Radius - more than 1 policy possible?
- From: Herb Martin
- Re: IAS Radius - more than 1 policy possible?
- From: Gonzo
- Re: IAS Radius - more than 1 policy possible?
- From: Herb Martin
- IAS Radius - more than 1 policy possible?
- Prev by Date: Re: bridgehead server
- Next by Date: Re: User login between domains in the same tree/frrest
- Previous by thread: Re: IAS Radius - more than 1 policy possible?
- Next by thread: Re: IAS Radius - more than 1 policy possible?
- Index(es):
Relevant Pages
|
