Remote Access with Radius & AD

If the User fails RADIUS auth, why would he pass AD auth?  If that happens, then you probably need to rethink the Backend Group definition(s) used in the IPsec Remote Access Rule.

Cheers - Bob

We use AD & STAS for our web filtering for 600 users.

We have vpn users which we authenticate via Radius. These users are in an AD group and we want them to use the same domain password. We also have a group for wireless authentication in Radius. It gives us more finite control.

I think the UTM should offer what type of backend authentication you want to use for each module eg radius for wirless, AD & STAS  for web, rather than just group the users in "backend authentication" in which the only control you have is the order in which the authentication is run.

Again, Louis, I can't see exactly what you need to do, but my guess is that you're making a false assumption somewhere and have not structured your Backend and AD Groups to fit your needs.  None of my clients has this problem with RADIUS and AD.

Cheers - Bob

Hi Bob,

we use AD and stas for all of our users on the web proxy. So everybody can get out to the web.

However, we have certain users that we want to vpn in. In AD, we create a VPN group and add the users to this.

In Radius, we say that the vpn users must be a member of this group. So, we put this user into the vpn on the UTM.

I then watched the user fail radius authentication because of a radius policy that wasn't set up right. However, they still managed to log on because they were authenticated in AD.

Now we could alter AD and limit the AD query to a certain OU etc but should we have to?

I think the UTM would be better with the ability to select what type of authentication you would like for which module.

Hi Bob,

we use AD and stas for all of our users on the web proxy. So everybody can get out to the web.

However, we have certain users that we want to vpn in. In AD, we create a VPN group and add the users to this.

In Radius, we say that the vpn users must be a member of this group. So, we put this user into the vpn on the UTM.

I then watched the user fail radius authentication because of a radius policy that wasn't set up right. However, they still managed to log on because they were authenticated in AD.

Now we could alter AD and limit the AD query to a certain OU etc but should we have to?

I think the UTM would be better with the ability to select what type of authentication you would like for which module.

You can make that suggestion, Louis.  In the mean time, in the UTM, if you haven't already done so, you need to create a Backend Group based on the AD VPN Group.  Next, add a new Policy at the top in Web Filtering that assigns the desired Filter Action (maybe a new one) to the Backend Group.

Cheers - Bob