Hey Charlie - when you select a radius server for authentication, you, by default also select it for authorization and you are then limited to the radius attributes. The "easiest" approach I think would be to define an LDAP instance against your AD server and use it for the Directory/Attribute selection. Then you have access to all of the LDAP values which would include group, etc......

Hello Kevin,

Thanks for your email, I know LDAP will be easy to implement, but just wanted to see if we can use Radius attributes to get the group working. We want to follow Radius instead of LDAP...

Charlie

Hi Charlie,

In IAS, try setting up a new custom remote access policy and set the policy condition to match the attribute Windows-Group. When you select it you will get a pop up asking what groups to match, select your group and finish the policy of like normal. Also, I think there is a default microsoft policy which you might want to set to deny if you are not using it.

RADIUS should only permit a member now if it is a member of your SSL-USER group. Even though you are matching * in your role mapping policy, it will still be ok as radius will only let users on who match the policy-condition you set through IAS.

This works for a simple single group role mapping, if you want to define different roles based on group membership - this bit I am not so sure about sorry. Would be intrested to know how though - I believe that you can do it by forwarding an attribute from ias to the ive but not sure how to do that.

Cheers,

Gareth

Hey Charlie - Gareth is of course 100% correct in his post! I misread your email. Thanks for the correction. It is very simple to only allow radius users who are a member of "X" group to login to the Windows domain. As Gareth said, this is a radius policy that you set via IAS on the basic Remote Access Policy page.

Trying to do role mapping is where it gets tricky. It is pretty easy to map against radius attributes. Under Remote Access Policies you can select "Edit Profile" and then "Advanced" and then select other attributes to push back to the RAS(SSL VPN) server. In my test site I use a bunch of them.

I have never found an easy way to map a group back to the SSL box directly. However, in thinking about it, you could use any other radius attribute (Class....) and then set the attribute value to whatever you want to match on.

I have a bunch of these setup, so if you have any questions on that approach let me know.

There are several ways.

Easiest would be to define IAS RAS-Policy with condition "windows-group".

Only users who are in windowsgroup XY will be authenticated successfully and be able to login to IVE - thats it.

When you have several windows groups, you can configure multiple RAS-Policies.

You can in addition to that on each RAS-Policy define in advanced tab in profile settings so called return attributes, for example "class(25)" and use that for rolemapping rules on IVE to map users according to class attribute value to a users role. Pretty easy and very logical.

Another way via LDAP Attributes (member / memberOf) - but if you allready use radius maybe the first solution would be easier and not so complicated.

You could also use LDAP to verify groupmembership of a user and map him according to the value of ldap attributes, you can use any active directory user properties attribute for that. To find out the ldap name of the attributes, use ldap browser (freware)

I'm looking to do just this, map the IVE role based on the return attribute from IAS/NPS in DomainY, it seems to work ok, but what about adding group lookups for additional domains?

Would that require an additional NPS in Domain X?

Our user logins do not use domain\user, so the RAS policy in NPS cannot differentiate which domain a user is in....we may be left with a separate realm pointing at a NPS in DomainX

Any thoughts?

Apologies for posting 2-in-a-row....I think I have the answer to my issue...

RADIUS for Authentication, then LDAP for authorization - to do the Group check...which would be picked up in the role mapping rule.