Different VPNs for different groups and use RADIUS?
-
I would like to setup two VPNs with different network access for two different groups. I would like to use RADIUS for the authentication.
For example, assume I have two internal networks. One has development servers, the other has web servers, email servers and all the other normal business infrastructure. I would like to have the developers be able to access anything, but marketing, sales, finance, etc. people should only access the infrastructure systems. I think I can handle this by defining two different OpenVPN servers using different tunnel networks. I then can control access via a firewall.
The problem is controlling who may use each of the VPNs. If I were creating local users I figure I could control access using local groups. The problem is I want to use RADIUS. We use an RSA Ace server which includes a RADIUS server. We have the groups defined in an LDAP server (we have both Sun One and AD – we could use either). Is there any way to make this work?
I could also let the Ace server manage the authentication based upon groups, but then it would make its decision based upon the RADIUS client's IP address. I see no way to define the bind address when defining the RADIUS server on pfSense. Is there a way to do this? If so, I could define the RADIUS server twice with different bind addresses and use the two different definitions to get different authentication semantics.
Is there any way to do this or am I forced to setup two separate pfSense servers?