Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Passing client routes via Active Directory

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 5 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      If you use RADIUS auth for AD via NPS, you can pass back a reply attribute that contains routes however you like. Policies in NPS should let you set that up on a per-group basis.

      You need to setup a Cisco-AVPair reply attribute containing "route=x.x.x.x y.y.y.y" and so on.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • C
        chris4916
        last edited by

        Could you please clarify something still unclear to me?

        Won't you need something like captive portal in order to manage FW rules accordingly?
        What I mean to say is that passing route definitely helps user A to reach targeted network, however, as it means that you also have FW rule allowing such access, nothing prevents, as far as I understand, user B to manually add such route and then access.
        You don't want B to access but you can't prevent it unless you set up something specific isn't it?

        Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Yeah exactly, this just doesn't make sense. Set up different OpenVPN servers for different user groups that have different access needs to that you are actually able to manage firewall rules per VPN.

          1 Reply Last reply Reply Quote 0
          • C
            chris4916
            last edited by

            @doktornotor:

            Yeah exactly, this just doesn't make sense. Set up different OpenVPN servers for different user groups that have different access needs to that you are actually able to manage firewall rules per VPN.

            This is more or less what I meant.
            Well, one may have slightly different needs. f.i. 2 sites connected though VPN link (site-to-site) plus willingness to control routing "per user". But in such case the "adding route" question is not valid.

            Definitely requirements should be refined.

            Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              You can also push static addresses and firewall rules from RADIUS.

              But ultimately having separate VPNs is easier.

              You can setup multiple LDAP server entries each with a different extended filter to restrict by AD group and select the appropriate auth server for each VPN as needed.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • C
                chris4916
                last edited by

                @jimp:

                You can also push static addresses and firewall rules from RADIUS.

                Would you mind elaborating on this please? Do you mean IP allocated by VPN server? and what's about FW rules?
                I'll look at this, for my own understanding  ;)

                Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Our OpenVPN code supports pulling in a few bits and pieces from RADIUS if you know the right incantations :-)

                  Most are Cisco-AVPair style:

                  • Cisco-AVPair inacl= / outacl=  – firewall rules, simple syntax like "permit tcp from foo to bar", I don't think we have a formal write-up on the syntax but it shouldn't be hard to nail down.
                  • Cisco-AVPair dns-servers= -- space-separated list of DNS servers
                  • Cisco-AVPair route= -- as mentioned above, a way to push a route from RADIUS, syntax is just "x.x.x.x y.y.y.y" where the first is an IP addr, second a subnet mask
                  • Framed-IP-Address= -- an address to push to the client, server will be one address lower than the IP address given, e.g. if you want the client to use x.x.x.4/30 (client is .6, server .5) then pass along x.x.x.6 to the client

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    chris4916
                    last edited by

                    Thanks a lot Jimp. Very helpful  8)

                    Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                    1 Reply Last reply Reply Quote 0
                    • O
                      omnipotens
                      last edited by

                      Thanks for all your help.  And having separate VPNs does not make it easier when your dealing with couple of hundred users and around 50 different networks. That and some of these users needs access to separate environments and that would require them to disconnect and connect. Being able to push routes as well as firewall rules via a group is the preferred method. Then I can set it up and forget and let someone else manage the groups. That and we can have one client to manage not having to deal with many different configs.

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        Your problem to deal with. All we are telling you that this does not produce any real security.

                        1 Reply Last reply Reply Quote 0
                        • O
                          omnipotens
                          last edited by

                          I would like to thanks everyone for the help I was able to get working exactly what I wanted by having radius push routes and firewall rules all managed from AD. Thanks Again

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.