Cannot filter traffic by user in MUVPN IKEv2 policy using RADIUS

Hello,
I've setup a Mobile User VPN using IKEv2 config on a Firebox M270 running 12.6.2.B631387. I've configured RADIUS authentication on the Firebox, and added the NPS policies as outlined in WG KB on our Windows 2012 R2 server.
Everything works fine, all users can connect to resources using the default “Allow IKEv2-Users” policy.

However if I try to create a new policy with a specific user ( part of the IKEv2-Users group) in the “From” tab the policy does not seem to have any effect. It appears as if the Firebox does not filter by specific RADIUS user.

I’ve checked that the IKEv2-Users authentication configuration and the AD “IKEv2-Users” group include this user. If I create a new policy which has the default IKEv2-Users group in the “From” tab, the policy works fine. It seems it doesn’t work only when a specific user within that group is specified.

I’ve checked the traffic logs and I can see the user ( [email protected]) in the “src_user” tag correctly when the default “AllowIKEv2-Users” policy is in effect.
Any idea how I could filter by a specific user in my policies or what I might be doing wrong?

Many thanks

Comments

  • Not sure why this doesn't work for you.
    Consider using an additional (new) group for this user and specifying that group name on the policy instead of the user ID.

  • Thanks for the reply.
    Do I need to add this new group to the NPS server config and to the IKEv2-Users authentication configuration?

  • . the NPS server config - yes, and also in AD
    . the IKEv2-Users authentication configuration - no, but you need to add the Group name in Authentication -> Users and Groups as a RADIUS Group

  • Thanks Bruce. I will try this and let you know if it works.

  • It works if the group name is specified on the policy instead of user id!

    Any idea why this works and not individual user name? Is this a limitation for MUVPN IKEv2 RADIUS users and do I need to do this for any IKEv2 policy targeting individual users?
    Thanks for your help.

Sign In to comment.