How do I limit IP addresses on VPN using Windows 2008 NPS?

mis_gsc
mis_gsc used Ask the Experts™
on
So I'll try to get all the information in here.

Hardware:
Cisco ASA ver.8.2 - ASDM 6.3
Windows 2008 Server running NPS and AD

Currently I've setup a Connection Profile on the ASA using Radius to authenticate to the NPS/AD server. Everything is working as planned as an admin but what I'm trying to accomplish is limiting IP addresses / servers that some users can hit.

On the Radius server I have 2 profiles: Admin and Staff

The Admin profile (#1) connection condition is
ClientFriendlyName = Radius Client, Nas Port type = VPN, and Windows Group is VPNAdmin
I have my testadmin in this group and when I login I have access to everything.

The Staff profile (#2) connection condition is
ClientFriendlyName = Radius Client, NAS Port Type = VPN and Windows Group is VPNStaff.
I also tried using the IP Filter and put in the internal IP's I want the user to hit.
The test user I login with can access everything, even IP's outside the filter list.

I have set the AD accounts Dial-In tab to use NPS policy's.

So my Question is:

How do I get the VPN profile to recognize the IP filters or am I handling the IP filtering correctly? or is the internal IP address handling on the ASA?

Thanks in advance and let me know if more information is needed. I'm new to the NPS world.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I would recommend setting the filter list on the ASA itself.  That's accomplished with a vpn-filter command in the group-policy.  For example:

access-list filter-vpnstaff permit ip any host 192.168.1.12
accces-list filter-vpnstaff permit tcp any host 192.168.1.13 eq 80
group-policy VPNStaff attributes
vpn-filter value filter-vpnstaff

Of course using your internal IP addresses instead of the ones I indicated.  

Author

Commented:
I added some routes like you mentioned above and I'll test it tonight and let you know how it goes.

Thanks

Author

Commented:
Worked just as said.

Thanks for the help and quick reply!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial