Since years and years I've got one problem. We have two different kinds of remote access services. VPN and Dial-In. Not all users should have the permission to do both. Right now we have two tokens servers where a user is matched (with different user names) with its token. Our NASs authenticate to an ACS-Server and it brings it via a unknown user policy to the token server where the user is held. That's the way it works right now. So a user has got two accounts to remember and we have to pay two licenses for that condition. :(
I search for a way to match a authenticating user to a certain AD-Group with a NAS-IP in the Policy. The point is that I just want to check if the user is member of the group and not the password. After checking the group-membership I want the request to be forwarded to the token server or ACS.
eg: 1) User A accesses NAS 1.1.1.1 the NPS should check if A is in group X and then forward to Token-Server/ACS Y. If no membership is assigned or the NAS is wrong the user should be blocked. 2) User C accesses NAS 2.2.2.2 the NPS should check if C is in group V and then forward to Token-Server/ACS W. If no membership is assigned or the NAS is wrong the user should be blocked.
Nevertheless: The pass-string (AD-Pass+OTP) should alway be forwarded to the Token-Server.
Hi, Sorry, You cannot do the proxy forward based on the Security(User) Groups. But you have however forward the request to different Token-Server/ACS based on the string pattern matching on the username. For example if you the username has 'VPN' character forward the authenticate to Token-Server/ACS A.
May I also know why you want to authenticate the users on different Token-Server/ACS servers based on the connection type (VPN/Dial-in) ? Here I'm trying to understand your problem more.
Thanks -RamaSubbu SKSorry! Microsoft doesn't own any liability & responsibility for any of my posting.
Marked as answer byMiles ZhangWednesday, September 30, 2009 1:09 AM
