Multiple NPS Clients Bound To Specific Network Policies
Posted on 2013-06-03
I have a client that currently uses Windows 2008R2 Network Policy Server to authentication VPN connections via RADIUS from a Cisco ASA Firewall. The ASA is defined as a RADIUS client and there is one Network Policy that grants access if the user is a member of a Windows "VPN Access" group. This works as advertised.
I am adding a RADIUS capable Cisco WAP to the environment. I want to allow connection to the WAP in the same manner. If the user is a member of a Windows "WAP Access" group, grant access. I have added a second RADIUS client and a second Network Policy that specifies the WAP Access group.
The problem I've run into is not seeing a way to specify/bind the WAP network policy to only the WAP RADIUS client. The VPN and WAP network policies have a processing order of 1 and 2 respectively. The VPN Access group contains a small subset of all users only. The WAP Access group contains most users. So, in the current configuration, if a user tries to connect to VPN with their username/password pair and they aren't a member of the VPN Access group, it will fail out. However, the Guest WAP policy would then allow the connection. I need a way to bind a RADIUS client to one policy and one policy only. I must be missing something obvious?