locked
NPS as Proxy RRS feed

  • Question

  • Hi!

    Since years and years I've got one problem. We have two different kinds of remote access services. VPN and Dial-In. Not all users should have the permission to do both. Right now we have two tokens servers where a user is matched (with different user names) with its token. Our NASs authenticate to an ACS-Server and it brings it via a unknown user policy to the token server where the user is held. That's the way it works right now. So a user has got two accounts to remember and we have to pay two licenses for that condition. :(

    I search for a way to match a authenticating user to a certain AD-Group with a NAS-IP in the Policy. The point is that I just want to check if the user is member of the group and not the password. After checking the group-membership I want the request to be forwarded to the token server or ACS.

    eg:
    1) User A accesses NAS 1.1.1.1 the NPS should check if A is in group X and then forward to Token-Server/ACS Y. If no membership is assigned  or the NAS is wrong the user should be blocked.
    2) User C accesses NAS 2.2.2.2 the NPS should check if C is in group V and then forward to Token-Server/ACS W. If no membership is assigned or the NAS is wrong the user should be blocked.

    Nevertheless: The pass-string (AD-Pass+OTP) should alway be forwarded to the Token-Server.

    Can anybody help me please with that request?

    rds. Ben
    Wednesday, September 23, 2009 9:22 AM

Answers

  • Hi,
      Sorry, You cannot do the proxy forward based on the Security(User) Groups. But you have however forward the request to different Token-Server/ACS based on the string pattern matching on the username. For example if you the username has 'VPN' character forward the authenticate to Token-Server/ACS A.

      May I also know why you want to authenticate the users on different Token-Server/ACS servers based on the connection type (VPN/Dial-in) ? Here I'm trying to understand your problem more.

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    • Marked as answer by Miles Zhang Wednesday, September 30, 2009 1:09 AM
    Monday, September 28, 2009 10:58 PM