Different VPNs for different groups and use RADIUS?



  • I would like to setup two VPNs with different network access for two different groups.  I would like to use RADIUS for the authentication.

    For example, assume I have two internal networks.  One has development servers, the other has web servers, email servers and all the  other normal business infrastructure.  I would like to have the developers be able to access anything, but marketing, sales, finance, etc. people should only access the infrastructure systems.  I think I can handle this by defining two different OpenVPN servers using different tunnel networks.  I then can control access via a firewall.

    The problem is controlling who may use each of the VPNs.  If I were creating local users I figure I could control access using local groups.  The problem is I want to use RADIUS.  We use an RSA Ace server which includes a RADIUS server.  We have the groups defined in an LDAP server (we have both Sun One and AD – we could use either).  Is there any way to make this work?

    I could also let the Ace server manage the authentication based upon groups, but then it would make its decision based upon the RADIUS client's IP address.  I see no way to define the bind address when defining the RADIUS server on pfSense.  Is there a way to do this?  If so, I could define the RADIUS server twice with different bind addresses and use the two different definitions to get different authentication semantics.

    Is there any way to do this or am I forced to setup two separate pfSense servers?


Log in to reply