|reply to addp009 |
Re: IOS and Active Directory intergration using Radius
The way we do it is using the NAS-Port-Type
After doing a few packet captures, we noticed that the Authentication Proxy uses a X.75 as the NAS-Port-Type, and Console Access and VPN use Virtual (VPN) as the NAS-Port-Type.
We have a policy to check NAS-Port-Type X.75 to authenticate users against the Auth Proxy.
Next, we have a policy that matches Virtual (VPN) and Async (Modem). This is for connecting to the console / Telnet / SSh. As it's for the Administrators, it also checks against our "Network Admin" group. If it's a match, it returns "shell:priv-lvl=15" to Log the user in as a privilege 15 user.
The next policy checks for a NAS-Port-Type of Virtual (VPN) and checkes to see if the user as a member of our VPN group. If they are, it authenticates the user, but returns no prvilege level (so users can log in via VPN.... but they don't have any privilege to try to log into the console)
Of course this also means the administrators have VPN access too.... they just log into the VPN with a privilege level of 15 (but of course that has no meaning when logging into the VPN)