We have multiple companies using the same VPN Switch. We've created unique sign-in policies and 2 VPN groups going to different radius IP Addresses on the UAC.
We cant get this to work because we cant create 2 Radius clients using the same source IP and associate them to 2 different location groups.
Why does the Radius client have to be tied to a location group ? Do I have to use the location group if I have sign-in policies ?
We're confused.. Thanks..
>Why does the Radius client have to be tied to a location group ?
if you are not adding radius client to the location group(which inturn is tied to a sign-in policy), RADIUS requests from this orphan radius client are going to be dropped by IC because IC doesn't know which (sign-in policy, Realm and) Auth server to use for authenticating users coming in via radius client.
> Do I have to use the location group if I have sign-in policies ?
Yes. in otherwords you have to add Radius client to a location group and location group to a sign-in policy.
why don't you use different realms for each company and enable following settings for sign-in policy(after adding those realms to the sign-in policy):
"User may specify the realm name as a username suffix" and "Remove realm suffix before passing to authentication server"
Then create different realms/roles for different companies and use different auth server for each realm.
for this to work a user who belongs to realm "company1" will have to give username as [email protected] and "company2" realm user will have to give username as [email protected]
IC will strip off the @companyx from username when forwarding it to that companies auth server.
Thanks for your post.
I can't ask my employees to change their usernames for a variety of reasons.
I created multiple internal IP Addresses on the UAC. I am pointing each company to the distinct IP addresses in the sign in policy. This is how the UAC knows which Realm to apply to the incoming request. I'm surprised that I cant assign 2 location groups the same Radius Client.
Any other thoughts on how to make this happen ?
I understood you reservations in asking your users to change their usernames.
How users are trying to authenticate? are they using OAC or some other client for authentication?
I can suggest fewthings based on your response.
This particular issue is for users of the Nortel Contivity VPN client. We keep it around as a backup to Network Connect. It's curious to me that one radius client cannot hit 2 different sign on policies. I'd love you hear your suggestions but also wonder if this should be a feature enhancement request.
IC doesn't support the attaching a location group to multiple sign-in policies.
regarding enhancement request: please work with your Juniper SE or Juniper Marketing contact.