Home

Use AD to restrict access for VPN users

%3CLINGO-SUB%20id%3D%22lingo-sub-251718%22%20slang%3D%22en-US%22%3EUse%20AD%20to%20restrict%20access%20for%20VPN%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251718%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20a%20network%20technician%2C%20working%20mostly%20with%20campus%20networks%20(Cisco%20mostly)%20and%20security%20appliances%20like%20firewalls.%20I'm%20not%20very%20good%20at%20Windows%20Server%20configuration%2C%20so%20I%20need%20a%20bit%20of%20help%20solving%20an%20issue%20with%20AD%20and%20NPS%20that%20google%20does%20not%20solve%20for%20me.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20setting%20up%20Remote%20Access%20VPN%20(it's%20not%20Direct%20Access%20or%20any%20other%20Microsoft%20VPN%20solution).%26nbsp%3BWhen%20user%20A%20connects%20via%20VPN%2C%20he%20should%20not%20be%20able%20to%20access%20everything%20though%20the%20VPN%20tunnel%2C%20it%20should%20be%20locked%20down%20to%20a%20few%20IP%20addresses%20and%20port%20numbers%2C%20like%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E192.168.40.0%2F24%2C%20port%2080%3C%2FP%3E%3CP%3E172.16.55.43%2C%20port%2022%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUser%20A%20might%20be%20member%20of%20a%20group%2C%20and%20others%20in%20that%20group%20should%20have%20the%20same%20restriction.%20The%20general%20idea%20is%20that%20an%20organisation%20should%20be%20able%20to%20configure%20this%20access%20restriction%20in%20AD%20and%20not%20have%20to%20log%20on%20to%20the%20firewall%20to%20do%20this.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMy%20question%20is%20how%20you%20configure%20this.%26nbsp%3B%3C%2FSTRONG%3EThe%20only%20way%20I%20have%20found%20is%20to%20create%20a%20separate%20Network%20Profile%20for%20every%20Group%2C%20and%20in%20that%20profile%20set%20group%20membership%20as%20a%20condition%20and%20a%20Cisco-AV-Pair%20specifying%20the%20ACL%20in%20the%20settings%20(pictures%20below).%20That's%20not%20a%20very%20scalable%20solution%20for%20large%20organizations.%20%3CSTRONG%3EIs%20there%20a%20better%20way%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20set%20up%20a%20lab%20environment%20for%20this%2C%20based%20on%20a%20DC%20and%20a%20NPS%20server.%20I'm%20not%20sure%20if%20NPS%20is%20needed%20but%20it%20seemed%20reasonable%20(maybe%20there%20is%20an%20LDAP%20solution%3F).%20I've%20configured%20RADIUS%20authentication%20via%20the%20NPS%20server%20and%20it%20works%2C%20it's%20just%20the%20ACL%20bit%20on%20AD%20that's%20missing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F49576i95DB8620ED84F4A5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screen%20Shot%202018-09-12%20at%2017.11.57.png%22%20title%3D%22Screen%20Shot%202018-09-12%20at%2017.11.57.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F49577i57CF5353623E98F4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screen%20Shot%202018-09-12%20at%2017.12.58.png%22%20title%3D%22Screen%20Shot%202018-09-12%20at%2017.12.58.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-251718%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EACL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
ecceman
Occasional Visitor

I'm a network technician, working mostly with campus networks (Cisco mostly) and security appliances like firewalls. I'm not very good at Windows Server configuration, so I need a bit of help solving an issue with AD and NPS that google does not solve for me. :)

 

I'm setting up Remote Access VPN (it's not Direct Access or any other Microsoft VPN solution). When user A connects via VPN, he should not be able to access everything though the VPN tunnel, it should be locked down to a few IP addresses and port numbers, like:

 

192.168.40.0/24, port 80

172.16.55.43, port 22

 

User A might be member of a group, and others in that group should have the same restriction. The general idea is that an organisation should be able to configure this access restriction in AD and not have to log on to the firewall to do this. 

 

My question is how you configure this. The only way I have found is to create a separate Network Profile for every Group, and in that profile set group membership as a condition and a Cisco-AV-Pair specifying the ACL in the settings (pictures below). That's not a very scalable solution for large organizations. Is there a better way?

 

I've set up a lab environment for this, based on a DC and a NPS server. I'm not sure if NPS is needed but it seemed reasonable (maybe there is an LDAP solution?). I've configured RADIUS authentication via the NPS server and it works, it's just the ACL bit on AD that's missing.

 

Screen Shot 2018-09-12 at 17.11.57.png

Screen Shot 2018-09-12 at 17.12.58.png

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies