Use AD to restrict access for VPN users

%3CLINGO-SUB%20id%3D%22lingo-sub-251718%22%20slang%3D%22en-US%22%3EUse%20AD%20to%20restrict%20access%20for%20VPN%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251718%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20a%20network%20technician%2C%20working%20mostly%20with%20campus%20networks%20(Cisco%20mostly)%20and%20security%20appliances%20like%20firewalls.%20I'm%20not%20very%20good%20at%20Windows%20Server%20configuration%2C%20so%20I%20need%20a%20bit%20of%20help%20solving%20an%20issue%20with%20AD%20and%20NPS%20that%20google%20does%20not%20solve%20for%20me.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20setting%20up%20Remote%20Access%20VPN%20(it's%20not%20Direct%20Access%20or%20any%20other%20Microsoft%20VPN%20solution).%26nbsp%3BWhen%20user%20A%20connects%20via%20VPN%2C%20he%20should%20not%20be%20able%20to%20access%20everything%20though%20the%20VPN%20tunnel%2C%20it%20should%20be%20locked%20down%20to%20a%20few%20IP%20addresses%20and%20port%20numbers%2C%20like%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E192.168.40.0%2F24%2C%20port%2080%3C%2FP%3E%3CP%3E172.16.55.43%2C%20port%2022%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUser%20A%20might%20be%20member%20of%20a%20group%2C%20and%20others%20in%20that%20group%20should%20have%20the%20same%20restriction.%20The%20general%20idea%20is%20that%20an%20organisation%20should%20be%20able%20to%20configure%20this%20access%20restriction%20in%20AD%20and%20not%20have%20to%20log%20on%20to%20the%20firewall%20to%20do%20this.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMy%20question%20is%20how%20you%20configure%20this.%26nbsp%3B%3C%2FSTRONG%3EThe%20only%20way%20I%20have%20found%20is%20to%20create%20a%20separate%20Network%20Profile%20for%20every%20Group%2C%20and%20in%20that%20profile%20set%20group%20membership%20as%20a%20condition%20and%20a%20Cisco-AV-Pair%20specifying%20the%20ACL%20in%20the%20settings%20(pictures%20below).%20That's%20not%20a%20very%20scalable%20solution%20for%20large%20organizations.%20%3CSTRONG%3EIs%20there%20a%20better%20way%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20set%20up%20a%20lab%20environment%20for%20this%2C%20based%20on%20a%20DC%20and%20a%20NPS%20server.%20I'm%20not%20sure%20if%20NPS%20is%20needed%20but%20it%20seemed%20reasonable%20(maybe%20there%20is%20an%20LDAP%20solution%3F).%20I've%20configured%20RADIUS%20authentication%20via%20the%20NPS%20server%20and%20it%20works%2C%20it's%20just%20the%20ACL%20bit%20on%20AD%20that's%20missing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F49576i95DB8620ED84F4A5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screen%20Shot%202018-09-12%20at%2017.11.57.png%22%20title%3D%22Screen%20Shot%202018-09-12%20at%2017.11.57.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F49577i57CF5353623E98F4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screen%20Shot%202018-09-12%20at%2017.12.58.png%22%20title%3D%22Screen%20Shot%202018-09-12%20at%2017.12.58.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-251718%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EACL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

I'm a network technician, working mostly with campus networks (Cisco mostly) and security appliances like firewalls. I'm not very good at Windows Server configuration, so I need a bit of help solving an issue with AD and NPS that google does not solve for me. :)

 

I'm setting up Remote Access VPN (it's not Direct Access or any other Microsoft VPN solution). When user A connects via VPN, he should not be able to access everything though the VPN tunnel, it should be locked down to a few IP addresses and port numbers, like:

 

192.168.40.0/24, port 80

172.16.55.43, port 22

 

User A might be member of a group, and others in that group should have the same restriction. The general idea is that an organisation should be able to configure this access restriction in AD and not have to log on to the firewall to do this. 

 

My question is how you configure this. The only way I have found is to create a separate Network Profile for every Group, and in that profile set group membership as a condition and a Cisco-AV-Pair specifying the ACL in the settings (pictures below). That's not a very scalable solution for large organizations. Is there a better way?

 

I've set up a lab environment for this, based on a DC and a NPS server. I'm not sure if NPS is needed but it seemed reasonable (maybe there is an LDAP solution?). I've configured RADIUS authentication via the NPS server and it works, it's just the ACL bit on AD that's missing.

 

Screen Shot 2018-09-12 at 17.11.57.png

Screen Shot 2018-09-12 at 17.12.58.png