How do you restrict users' destinations on a network using "windows NPS" radius when dialing into a cisco ASA RRS feed

  • Question

  • Hi there,

    My setup is this:

    • Cisco ASA 5525 firewalls
    • Cisco Anyconnect Client
    • Windows 2008 R2 AD Domain w/ NPS server installed and using Radius to authenticate the users' access via a group.
    • Different domain (so users are connecting from our domain into completely disconnected, remote site with a different domain).

    All this is working fine.  Users can log into the system and everything is good.  Now, we would like to restrict *where* certain groups of users can log.  Most of the services they are trying to access are running either centos or RHEL, but they are connecting from Windows 7 x64-based systems.

    I would like them to be able to log into the environment, but when they pull up their ssh client, I want them to be able to get to server x, but not server y.

    I'm open to suggestions.

    • Edited by Dman2k1 Thursday, November 29, 2012 10:41 PM
    Thursday, November 29, 2012 7:56 PM

All replies

  • Hi,

    Thanks for your post.

    Please note that the NPS cannot determined the authenticated computer can access which internal resource. You cannot define it via Network policy. In order to restrict computer to access entire network, you need to assign them to different VLANs or using IPsec.

    Best Regards,


    If you have any feedback on our support, please click here

    Aiden Cao
    TechNet Community Support

    Tuesday, December 4, 2012 3:29 AM
  • Hi Aiden,

    Thanks for the response.  Which of these would you say is the most robust and quick to implement.  I've not implemented IPsec before.  w/r to assigning them to the different VLANs, would this be done via the NPS server depending on the client or at the ASA level or did you mean that both of these would work together to meet my requirements.

    Essentially, I have business users who would use VPN to connect to their restricted business resources in the remote network and systems users who could connect to any resource as they are required to manage the whole infrastructure.

    Tuesday, December 4, 2012 5:35 PM
  • Hi, If there is any update on the mentioned discussion, kindly post for referance. Regards, AD
    Monday, January 28, 2013 6:51 AM
  • On your NPS, Network Policies you can restrict traffic using packet filters:


    This could be an option

    Johan Loos

    Wednesday, February 20, 2013 10:18 AM