locked
Always on VPN with server 2019, NPS (Radius auth) and selectable dhcp subnet selection .... RRS feed

  • Question

  • Hi,

    I'm playing around with AOVPN now for some weeks and in general it would work as expeced. The internal dhcp server is assigning an ip based on the interface selected in rras.

    Deployment and certificate generation is done with Intune and is working fine.

    The only thing I'm not able to do is to force the rras to assign an ip based on a radius (NPS) condition (rras interface selection) ... Radius attributes?

    Is there a possibility to do that with rras 2019 or do I have to search for anoter solution?

    Thx and best regards

    Stiasny Stefan

    Thursday, July 16, 2020 9:16 AM

Answers

  • Hi,

     

    Thanks for your reply.

     

    Based on discussing with our senior Network engineer, please kindly note that the goal "assign a dhcp address (several scopes on a 2019 MS DHCP) to an always on vpn user based on network policies on the NPS server" cannot be achieved. Thanks for your understanding.

     

    For more information about NPS, please refer to the following link.

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

     

    Hope my answer will help you. Thanks!

     

    Best Regards,

    Sunny


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by sstiasny Friday, July 24, 2020 7:51 AM
    Thursday, July 23, 2020 10:28 AM

All replies

  • Hi,

    Thanks for posting here.

    Please help explain the issue more detailed? Based on my understanding, do you mean that you want to configure RRAS to use address from a DHCP server. Please correct if my understanding is wrong.

    This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,

    Sunny


    "Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Infrastructure Servers"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, July 17, 2020 7:52 AM
  • Hi,

    and thanks for replying ...

    The goal is to be able to assign a dhcp address (several scopes on a 2019 MS DHCP) to an always on vpn user based on network policies on the NPS server.

    For example if the user is in a group called NetworkA he should get an ip from the dhcp scope 172.29.253.0 ... if the user is in group NetworkB he should get an ip from the dhcp scope 172.29.245.0 ... aso

    Maybe this is possible using the framed-pool attribute or by forcing the RRAS to select the correct interface for a dhcp request.

    Is there a change to do that?

    Thx and best regards

    Friday, July 17, 2020 9:46 AM
  • Hi,

    Thanks for you reply.

    If you want to assign users in different groups into specific VLANs with NPS server. Then standard RADIUS attribute "Tunnel-Medium-Type", "Tunnel-Pvt-Group-ID", "Tunnel-Type" need to be used.

    Here is an article talking about detailed configuration, you might have a look:

    Microsoft NPS as a RADIUS Server for WiFi Networks: Dynamic VLAN Assignment

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    For your reference:

    Configure a Network Policy for VLANs

    Hope my answer will help you. Thanks!

    This "Network Infrastructure Servers" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,

    Sunny


    "Network Infrastructure Servers" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Network Infrastructure Servers"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Wednesday, July 22, 2020 8:29 AM
  • Hi and thanks for your answer ...

    I do already use this feature for assigning VLANs to the company devices (PEAP - Cert based) for LAN and Wifi

    ... and I would have tried to do the same with the rras and a trunk port on the switch ... but the problem is that the rras server is virtualized (XCP). Therefore there is no chance using a trunk port.

    I tried using multiple adapters with rras server already and assigning the dhcp scope with radius attributes -> not working

    Additionally I tried interface selection for the client with radius attributes and let the client request the ip -> not working either.

    So I'm currently out of ideas and need some advice ;-)

    Wednesday, July 22, 2020 12:42 PM
  • Hi,

     

    Thanks for your reply.

     

    Based on discussing with our senior Network engineer, please kindly note that the goal "assign a dhcp address (several scopes on a 2019 MS DHCP) to an always on vpn user based on network policies on the NPS server" cannot be achieved. Thanks for your understanding.

     

    For more information about NPS, please refer to the following link.

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

     

    Hope my answer will help you. Thanks!

     

    Best Regards,

    Sunny


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by sstiasny Friday, July 24, 2020 7:51 AM
    Thursday, July 23, 2020 10:28 AM
  • Hi,

    and thanks for clarifying and helping me out ... sadly that means that I have to search for another solution.

    best regards

    Stefan

    Thursday, July 23, 2020 11:35 AM
  • Hi,

     

    Many thanks for your post and all the efforts so far.

     

    First, please assure that Microsoft is always do the best to provide good products to customers and is always trying to improve these products. As a support engineer, I will try my best to assist you. Meanwhile, I will also report the issue to our product team for further confirmation.

     

    Best Regards,

    Sunny


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Friday, July 24, 2020 7:40 AM