For When You Can't Have The Real Thing
[ start | index | login ]
start > Windows > Server > NPS Notes

NPS Notes

Created by dave. Last edited by dave, 14 days ago. Viewed 47 times. #1
[edit] [rdf]
labels
attachments
(2019-04-10)

Some Notes On Network Policy Server

You can specify the type of connection that the user is requesting. For example, say you want to have different groups for WiFi users than you want for SSLVPN users. If both types of connection are requested through the same client device, ie a FortiGate, you have to specify the NAS Port Type on the Conditions tab.

  • Virtual (for VPN)
  • Wireless - IEEE 802.11
Don't put the NAS Port Type in the Constraints tab. The Conditions get you access to the policy; failing the conditions results in the policy not being evaluated for pass or fail. A Constraints is something that the request must have in addition to the specified condition and failing the constraint test results in a deny reply, with no further policies being evaluated.

Connection Request Policies: frankly at this point I'm not sure I understand what the point of these are since you can put all the details into the Network Policy instead -- ie NAS Port Type or Client Friendly Name etc. Possibly it would make sense if you have specific Connection Request Policy limitations and a large number of Network Polices and a relatively few types of Clients, you could define the connection restrictions in fewer places. But my installations are all small (five Clients max, three Network Policies max) so I'm no expert on this.

Juniper EX switches don't seem to send a NAS Port Type for administrative login requests. So I usually stick the Network Policies for these devices at the bottom of the policy list.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt