I am currently in the process of setting up some Cisco ASA firewalls, for which I want to use Radius authentication on the VPN clients & SSH / ASDM management.
For Radius authentication, I am using NPS on Windows Server 2012, and the ASA is 5515-x running v8.6.
To do this the way I would like it to work, I created two seperate NPS policies, one for the VPN with the relevant groups, and a seperate policy for the SSH / ASDM management, with the correct management AD group attached. I can see that I can create the two policies within the ASA, and assign these different policies to different functions, but the problem I have, is that our radius server can not distinguish between the two.
Is there a way, that I can push through some unique information in the request, so that the radius server can make this distinction? I am finding that although the authentication may fail on the first policy for the ASDM, it is being allowed by the second policy for the VPN, which is obviously no good.
I am willing to use LDAP authentication as a last resort for the SSH / ASDM, but I would rather use Radius due to it's more "granular" approach and better integration with the AD.
Thanks in advance,