0

I need to provide remote network access that is restricted depending on the user that dials in (i.e. different users are placed on different VLANs).

I will then implement firewall security (on a separate hardware firewall) between VLANs to restrict what users can access.

Is there any way to assign different users to different VLANs based on their user credentials used during VPN initiation?

Braiam
  • 622
  • 4
  • 23
morleyc
  • 1,120
  • 13
  • 45
  • 86

1 Answers1

0

I think NPS (Network Policy Server / RADIUS) is capable of doing this, however, I'm not sure if it is possible trough VPN:

http://technet.microsoft.com/en-us/library/cc754422(WS.10).aspx

VLAN Attributes Used in Network Policy

VLAN attributes used in network policy

When you use network hardware, such as routers, switches, and access controllers that support virtual local area networks (VLANs), you can configure Network Policy Server (NPS) network policy to instruct the access servers to place members of Active Directory® groups on VLANs.

Before configuring network policy in NPS for VLANs, create groups of users in Active Directory Domain Services (AD DS) that you want to assign to specific VLANs. Then when you run the New Network Policy wizard, add the Active Directory group as a condition of the network policy.

You can create a separate network policy for each group that you want to assign to a VLAN. For more information, see Create a Group for a Network Policy.

When you configure network policy for use with VLANs, you must configure the RADIUS standard attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, and Tunnel-Type. Some hardware vendors also require the use of the RADIUS standard attribute Tunnel-Tag.

To configure these attributes in a network policy, use the New Network Policy wizard to create a network policy. You can add the attributes to the network policy settings while running the wizard or after you have successfully created a policy with the wizard.

Note

  • To add the attributes after you have created the network policy with the wizard, locate the policy in the NPS console and double-click the policy to open it. Click the Settings tab in the policy properties, ensure that RADIUS Attributes - Standard is selected, and then click Add. In the Add Attribute dialog box, add the following attributes.

Tunnel-Medium-Type. Select a value appropriate to the previous selections you made while running the New Network Policy wizard. For example, if the network policy you are configuring is a wireless policy, in Attribute Value, select 802 (Includes all 802 media plus Ethernet canonical format).

Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. For example, if you want to create a Sales VLAN for your sales team by assigning team members to VLAN 4, type the number 4.

Tunnel-Type. Select the value Virtual LANs (VLAN).

Tunnel-Tag. Some hardware devices do not require this attribute. If your hardware device requires this attribute, obtain this value from your hardware documentation.

MichelZ
  • 11,008
  • 4
  • 30
  • 58
  • I am checking the policy, could this be done with RAS IP Filters to restrict access to certain subnets/hosts? – morleyc May 28 '12 at 14:30