I have spent much longer on a NPS issue than I would like to admit but let me lay out what I am trying to accomplish.
I have a customer that has a bunch of AnyConnect VPN profiles. They are growing and as they grow they are dealing with more and more auditors. They have specific VPN profiles setup each for different uses/groups of users and recently they found that any user could log into any of the profiles (go figure...). So because they do not want auditors to try to log into a different VPN profile and to also prevent nosey users from roaming they want to lock down each tunnel group to an individual AD group.
I do this with Cisco ISE all the time, you can just setup a match condition based on the incoming tunnel group and then setup another condition on that rule that ties the AD group to it. But for the life of me I can not figure out how to do this in NPS. I guess its a very real possibility that its not possible to do with NPS it but I at least wanted to check with the group here and see if anyone has done this before.
I have tried setting up the settings in the NPS profile to look for radius attribute 146 which is supposed to be tunnel-group but so far those rules do not work. It seems to only check for the settings tab after the authentication is complete (I assume this would be more like the authorization side of ISE)
So, just to wrap up, customer has NPS, we want to lock down a tunnel group to a specific AD group using Connection Request Policies. I need to figure out how to get a tunnel group match rule setup. I also plan on sending a group policy via the network polices but that part seems to work correctly.
Any ideas?
No comments:
Post a Comment