locked
Multiple policy match ("pass-thru" policy) possible in NPS to allow user access to one (or more) resource(s) via VPN based on group membership? RRS feed

  • Question

  • I have a NPS server terminating vpn connections based on user group.

    I have three security groups:

    Group 1

    Group 2

    Group 3

    The NPS allows VPN access to members in these groups.  Additionally, it pushes out a  custom radius attribute based on their group membership which controls the resources that user can access to the non-Microsoft VPN server.

    Currently, if a user is in Multiple groups, they only get access to the first Network Selection Policy match's resources (and corresponding radius attribute) because  it "Stops" processing once it hits the first match.  

    Is it possible to have a "pass-thru" policy where it simply adds the radius attributes to the list to send to the user, yet continues processing for any possible additional NPS matches?

    Yes, you can work around it by creating a seperate NPS rule in this order, but this does not scale, obviously.

    1) Group 1, 2, 3

    2) Group 1, 2

    3) Group 1, 3

    4) Group 3,2

    5) Group 1

    6) Group 2

    7) Group 3.

    • Moved by Aiden_Cao Monday, October 8, 2012 9:32 AM right forum (From:Network Infrastructure Servers)
    Friday, October 5, 2012 7:32 PM

Answers

  • Hi,

    Thanks for you post.

    -> Currently, if a user is in Multiple groups, they only get access to the first Network Selection Policy match's resources (and corresponding radius attribute) because  it "Stops" processing once it hits the first match.  Is it possible to have a "pass-thru" policy where it simply adds the radius attributes to the list to send to the user, yet continues processing for any possible additional NPS matches?

    It’s not possible. If user tries to establish VPN connection, the NPS server will compare the conditions of network policy from top to bottom. The connection request will choose the first one of network policies which meets the conditions requirement. Then, decide if the request meets all constraints settings. If so, the request get access. If not, it will be denied, and the connection request will not move to the next network policy.      

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Thursday, October 18, 2012 2:21 AM
    • Marked as answer by Aiden_Cao Friday, October 19, 2012 2:00 AM
    Monday, October 8, 2012 9:31 AM