Avatar of mis_gsc
Flag for United States of America

asked on 

How do I limit IP addresses on VPN using Windows 2008 NPS?

So I'll try to get all the information in here.

Cisco ASA ver.8.2 - ASDM 6.3
Windows 2008 Server running NPS and AD

Currently I've setup a Connection Profile on the ASA using Radius to authenticate to the NPS/AD server. Everything is working as planned as an admin but what I'm trying to accomplish is limiting IP addresses / servers that some users can hit.

On the Radius server I have 2 profiles: Admin and Staff

The Admin profile (#1) connection condition is
ClientFriendlyName = Radius Client, Nas Port type = VPN, and Windows Group is VPNAdmin
I have my testadmin in this group and when I login I have access to everything.

The Staff profile (#2) connection condition is
ClientFriendlyName = Radius Client, NAS Port Type = VPN and Windows Group is VPNStaff.
I also tried using the IP Filter and put in the internal IP's I want the user to hit.
The test user I login with can access everything, even IP's outside the filter list.

I have set the AD accounts Dial-In tab to use NPS policy's.

So my Question is:

How do I get the VPN profile to recognize the IP filters or am I handling the IP filtering correctly? or is the internal IP address handling on the ASA?

Thanks in advance and let me know if more information is needed. I'm new to the NPS world.
RoutersNetwork OperationsWindows Server 2008

Avatar of undefined
Last Comment

8/22/2022 - Mon