(2019-04-10)
Some Notes On Network Policy Server
You can specify the type of connection that the user is requesting. For example, say you want to have different groups for WiFi users than you want for SSLVPN users. If both types of connection are requested through the same client device, ie a FortiGate, you have to specify the
NAS Port Type on the Conditions tab.
- Virtual (for VPN)
- Wireless - IEEE 802.11
Don't put the NAS Port Type in the Constraints tab. The
Conditions get you access to the policy; failing the conditions results in the policy not being evaluated for pass or fail. A
Constraints is something that the request must have in addition to the specified condition and failing the constraint test results in a
deny reply, with no further policies being evaluated.
Connection Request Policies: frankly at this point I'm not sure I understand what the point of these are since you can put all the details into the
Network Policy instead -- ie NAS Port Type or Client Friendly Name etc. Possibly it would make sense if you have specific Connection Request Policy limitations and a large number of Network Polices and a relatively few types of Clients, you could define the connection restrictions in fewer places. But my installations are all small (five Clients max, three Network Policies max) so I'm no expert on this.
Juniper EX switches don't seem to send a NAS Port Type for administrative login requests. So I usually stick the Network Policies for these devices at the bottom of the policy list.