Radius Groups for IKEv2 Rule Assignment

I have a Radius server setup and working to handle the authentication for our IKEv2 VPN and have created 3 different groups to control resources access. Group 1 is used to authenticate to the VPN, Group 2 is for internal IT staff with a broader permission set, and group 3 that is restricted to just 2 resources. Group 1 seems redundant, but if I try to setup the Radius Server to authenticate against more than 1 group, no users are able to connect.

For those that do something similar, have you encountered the behavior where the firebox is picking up a user as a member of all three groups. I've double checked group membership on the Radius server and this user is only a member of Group 1 and Group 2.

Comments

  • My recollection is that the RADIUS server should only return one attribute (usually Filter-ID, attribute 11) which the Firebox then enumerates and applies the appropriate policies - at least that's how I've done it when having to use Windows NPS as the RADIUS server.

    On the RADIUS server (describing NPS here), it checks the user login and works through a list of possible matching policies, and stops at the first one - which then returns the configured Filter-ID as the group name for the Firebox to use.

    How the policies are configured depends on what exactly users need to access, but keeping in mind a user should only match one group.

    I'd first look at the RADIUS server logs to see what Filter-ID or RADIUS policy an affected login session matched to figure out what the Firebox then tries to enumerate based on that group name.

  • This makes sense, I'll review the logs and see what is there.

    Since you used NPS, did you setup a network policy for each group?

  • @Garrett said:
    This makes sense, I'll review the logs and see what is there.

    Since you used NPS, did you setup a network policy for each group?

    Yes - in the instances I was setting up, there was a common set of resources (eg. main file server) that all users could access, and then there were group-specific resources that policies granted access to in addition to the common resources (eg. IT has all internal networks access, site maintenance groups get access to one site's subnet, etc).

    It resulted in quite a few NPS connection access policies, but that was the only way to get it done with NPS given the Firebox can only enumerate one Filter-ID from RADIUS, but it worked.

  • Awesome, I'll give it a shot.

Sign In to comment.