Multiple NPS Clients Bound To Specific Network Policies

Hello,

I have a client that currently uses Windows 2008R2 Network Policy Server to authentication VPN connections via RADIUS from a Cisco ASA Firewall.  The ASA is defined as a RADIUS client and there is one Network Policy that grants access if the user is a member of a Windows "VPN Access" group.  This works as advertised.

I am adding a RADIUS capable Cisco WAP to the environment.  I want to allow connection to the WAP in the same manner.  If the user is a member of a Windows "WAP Access" group, grant access.  I have added a second RADIUS client and a second Network Policy that specifies the WAP Access group.

The problem I've run into is not seeing a way to specify/bind the WAP network policy to only the WAP RADIUS client.  The VPN and WAP network policies have a processing order of 1 and 2 respectively.  The VPN Access group contains a small subset of all users only.  The WAP Access group contains most users.  So, in the current configuration, if a user tries to connect to VPN with their username/password pair and they aren't a member of the VPN Access group, it will fail out.  However, the Guest WAP policy would then allow the connection.  I need a way to bind a RADIUS client to one policy and one policy only.  I must be missing something obvious?

Thank you.
SafetyNet-TCAsked:
Who is Participating?
 
cantorisConnect With a Mentor Commented:
On the policy for the wireless clients, try adding in an extra Condition - "NAS Port Type" and set it to Wireless 802.11 so that it doesn't apply to the VPN connections.
0
 
SafetyNet-TCAuthor Commented:
Of course.  Thank you.
0
 
cantorisCommented:
Glad it worked for you :)
0
All Courses

From novice to tech pro — start learning today.