Passing client routes via Active Directory
-
If you use RADIUS auth for AD via NPS, you can pass back a reply attribute that contains routes however you like. Policies in NPS should let you set that up on a per-group basis.
You need to setup a Cisco-AVPair reply attribute containing "route=x.x.x.x y.y.y.y" and so on.
-
Could you please clarify something still unclear to me?
Won't you need something like captive portal in order to manage FW rules accordingly?
What I mean to say is that passing route definitely helps user A to reach targeted network, however, as it means that you also have FW rule allowing such access, nothing prevents, as far as I understand, user B to manually add such route and then access.
You don't want B to access but you can't prevent it unless you set up something specific isn't it? -
Yeah exactly, this just doesn't make sense. Set up different OpenVPN servers for different user groups that have different access needs to that you are actually able to manage firewall rules per VPN.
-
Yeah exactly, this just doesn't make sense. Set up different OpenVPN servers for different user groups that have different access needs to that you are actually able to manage firewall rules per VPN.
This is more or less what I meant.
Well, one may have slightly different needs. f.i. 2 sites connected though VPN link (site-to-site) plus willingness to control routing "per user". But in such case the "adding route" question is not valid.Definitely requirements should be refined.
-
You can also push static addresses and firewall rules from RADIUS.
But ultimately having separate VPNs is easier.
You can setup multiple LDAP server entries each with a different extended filter to restrict by AD group and select the appropriate auth server for each VPN as needed.
-
You can also push static addresses and firewall rules from RADIUS.
Would you mind elaborating on this please? Do you mean IP allocated by VPN server? and what's about FW rules?
I'll look at this, for my own understanding ;) -
Our OpenVPN code supports pulling in a few bits and pieces from RADIUS if you know the right incantations :-)
Most are Cisco-AVPair style:
- Cisco-AVPair inacl= / outacl= – firewall rules, simple syntax like "permit tcp from foo to bar", I don't think we have a formal write-up on the syntax but it shouldn't be hard to nail down.
- Cisco-AVPair dns-servers= -- space-separated list of DNS servers
- Cisco-AVPair route= -- as mentioned above, a way to push a route from RADIUS, syntax is just "x.x.x.x y.y.y.y" where the first is an IP addr, second a subnet mask
- Framed-IP-Address= -- an address to push to the client, server will be one address lower than the IP address given, e.g. if you want the client to use x.x.x.4/30 (client is .6, server .5) then pass along x.x.x.6 to the client
-
Thanks a lot Jimp. Very helpful 8)
-
Thanks for all your help. And having separate VPNs does not make it easier when your dealing with couple of hundred users and around 50 different networks. That and some of these users needs access to separate environments and that would require them to disconnect and connect. Being able to push routes as well as firewall rules via a group is the preferred method. Then I can set it up and forget and let someone else manage the groups. That and we can have one client to manage not having to deal with many different configs.
-
Your problem to deal with. All we are telling you that this does not produce any real security.
-
I would like to thanks everyone for the help I was able to get working exactly what I wanted by having radius push routes and firewall rules all managed from AD. Thanks Again
