W
WesinATL
I have been having a problem with some wireless connectivity to NPS which led me to this question about NPS and best practices and how Connection Policies and Network Policies work together (or do they).
I have multiple RADIUS clients: My cisco ASA which is accepting VPN connections and my Aruba Wireless AP's. In NPS for each client there is a corresponding RADIUS Client entry and Connection Policy. These obviously correspond to each other because they reference each other. So when the VPN client tries to connect the appropriate Connection Policy is applied.
How does it associate the Network Policies? From what I have read the system runs through each Network Policy until it finds a match so having a Network Policy for the each RADIUS client may not be the right thing to do. In my case I have a VPN Users group and they are allowed to access the VPN. I allow all Domain Users to access the wireless. Most users are members of both so the second rule is somewhat redundant. It would seem that if the system reads through all the policies and John is a member of the allowed users in the wireless policy, but not the VPN policy he would still be able to access the VPN because the system would see him in at least one of the allowed groups under network policies.
What is the point of the Connection Policies setting in the 3rd tab being able to override the Network Policy?
I wonder if a better practice is to have separate NPS servers for separate network services.
Continue reading...
I have multiple RADIUS clients: My cisco ASA which is accepting VPN connections and my Aruba Wireless AP's. In NPS for each client there is a corresponding RADIUS Client entry and Connection Policy. These obviously correspond to each other because they reference each other. So when the VPN client tries to connect the appropriate Connection Policy is applied.
How does it associate the Network Policies? From what I have read the system runs through each Network Policy until it finds a match so having a Network Policy for the each RADIUS client may not be the right thing to do. In my case I have a VPN Users group and they are allowed to access the VPN. I allow all Domain Users to access the wireless. Most users are members of both so the second rule is somewhat redundant. It would seem that if the system reads through all the policies and John is a member of the allowed users in the wireless policy, but not the VPN policy he would still be able to access the VPN because the system would see him in at least one of the allowed groups under network policies.
What is the point of the Connection Policies setting in the 3rd tab being able to override the Network Policy?
I wonder if a better practice is to have separate NPS servers for separate network services.
Continue reading...