Announcement

Collapse
No announcement yet.

Limiting RRAS via computer

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Limiting RRAS via computer

    Hi all

    Can someone tell me if this is possible using Server 2008 R2 Routing and Remote Access.

    Using NPS can you restrict VPN access by computer/device that the user is connecting from.

    If the computer is domain joined, can that computer be placed into a security group. Then that security group allowed access.

    All other non domain joined computer denied access by default.

    If this is possible can some shed some light on how to do it.

    PS. I want to allow users access by default, but only if they are on a domain joined device.

    Kind Regards
    Mark
    Last edited by MarkJones; 11th June 2014, 15:40. Reason: update

  • #2
    Re: Limiting RRAS via computer

    Hi

    Does this help you - use NPS

    https://community.aerohive.com/aeroh...corporate_ssid
    A recent poll suggests that 6 out of 7 dwarfs are not happy

    Comment


    • #3
      Re: Limiting RRAS via computer

      Hi

      Thank for the reply I will have a read and let you know.

      Regards
      Mark

      Comment


      • #4
        Re: Limiting RRAS via computer

        Hi.


        The link suggested, kind of helps.

        I have got a basic setup of RRas on Server 2008R2. During my testing I have found the following.

        If I have not got any NPS policy in place then no user can connect.
        If I add a simple NPS policy to allow a USER to connect by checking if the connecting user is a member of a security group - THIS works the USER CAN connect.

        If I change the scope of the NPS policy from USER group to COMPUTER group and try to allow a connetion based on the computer being a member of a security group the user CANNOT connect.

        Is what I doing not going to be possible?

        PS this test was carried out using a clean setup of SRV2008R2 single domain controller, seperate SRV2008R2 RRAS member server, all machines and test workstation on same LAN SUBNET and all devices are domain members.

        Can someone help?

        Kind Regards
        Mark

        Comment


        • #5
          Re: Limiting RRAS via computer

          I've only ever specified a security group as being allowed to connect via VPN and populated it with user accounts. Within the NPS policy there is the option, under the Conditions tab, to add another group.

          Did you try with both users and computer security groups?
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Re: Limiting RRAS via computer

            Hi

            Thanks for replying.

            Yes, as soon as I try to check the computer group(as a policy on it's own or as part of an existing policy) I get no connection.

            I have since read/found the VPN connection won't supply the computer information for authentication as I thought possible.

            I have now setup SSTP with a self signed cert. This does at least allow me to distribute the CA to only devices I want to connect.

            I only want the VPN to allow users to print to a ZEBRA label printer installed on a TerminalServer.(printer is installed on TS, IP port is IP address of laptop with printer connected via usb and shared)

            Funding doesn't allow for any dedicated equipment to handle this task hence why I was trying to restrict using the computer group. This would have been a perfect solution as only domain joined computer would be allowed.

            Regards
            Mark

            Comment


            • #7
              Re: Limiting RRAS via computer

              Thanks for that information. Considering that domain computers need to authenticate when starting up, I would have thought that this would not have been a problem. Weird.

              Thanks also for posting your fix.
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: Limiting RRAS via computer

                Hi

                Looks like I'm going for the SSTP cert in the live enviroment.

                One question..... As there is already an enterprise ROOT CA installed(this i think is going to be de-commissioned) am I ok to install a STANDALONE ROOT CA as well(probably on the RRAS server)? I can't see any problem as the ENTERPRISE CA is active directory linked and the STAND ALONE is not. They should not conflict.

                Regards
                Mark

                Comment


                • #9
                  Re: Limiting RRAS via computer

                  I've never had to deal with CA's so can't answer your question, but someone else may be able to help.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Re: Limiting RRAS via computer

                    Hi

                    Thanks for your input. I'll post another for the 2 CA's


                    Regards
                    Mark

                    Comment

                    Working...
                    X