Hello I want to implement IAS as RADIUS for VPN access and much more...



We have to VPN one for WiFI and another for access from outside the
enterprise (in the same cisco PIX Firewall)

I want to assign different permissions and I don't know how to accomplish
this task.




Also in our public library I want the users  to enter an specific code in
order to navigate  through Internet.



How could do these tasks???



I have read about DLL Extensions for check if the user is member of a group,
Could I use this???

Which is the best solution???

[ Post a follow-up to this message ]

Its hard to give you a definitive answer without knowing exactly what you're
planning to do, if you can expand more on your setup, we'll be able to
provide you with more help

As for group membership, you don't need an extension DLL to do this, it's
built right into IAS

Please respond back with some additional information on what you're trying
to accomplish, and we'll be more than happy to help out

Thanks


--
 ========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
 ========================================
=====

"emq" <nospam_emquiros@terra.es> wrote in message
news:%23B5A20qtEHA.444@TK2MSFTNGP10.phx.gbl...
> Hello I want to implement IAS as RADIUS for VPN access and much more...
>
>
>
> We have to VPN one for WiFI and another for access from outside the
> enterprise (in the same cisco PIX Firewall)
>
> I want to assign different permissions and I don't know how to accomplish
> this task.
>
>
>
>
> Also in our public library I want the users  to enter an specific code in
> order to navigate  through Internet.
>
>
>
> How could do these tasks???
>
>
>
> I have read about DLL Extensions for check if the user is member of a
> group,
> Could I use this???
>
> Which is the best solution???
>
>
>
>

[ Post a follow-up to this message ]

Well, we have configured a VPN access from Internet to our network through
the Firewall PIX for all users...

Also we have configured  wireless access, for security we have installed it
in another VLAN outside the enterprise, a user connected to this VLAN can
access to internet but only can access to intranet through a VPN connection.
I want  to give different permissions to different users.
Also we want to create specific VPN to access specific machines for users
that don't belong to our enterprise, in example: customer support for
especific machines...

We also have a public library with some PCs inside with a local user for
everybody, we want that users could access to internet only if they
introduce a number that is in the visit cards that they receive at the
entrance...

We need different policies and I believe that it should be easily
administrable if  I could read the membership to a group...
A users that belongs to a AD group can access to an specific machine, a
users that belongs to another group can access to all machines...

"Sam Salhi [MSFT]" <samers@online.microsoft.com> escribió en el mensaje
news:OyAHdAztEHA.3252@TK2MSFTNGP10.phx.gbl...
> Its hard to give you a definitive answer without knowing exactly what
you're
> planning to do, if you can expand more on your setup, we'll be able to
> provide you with more help
>
> As for group membership, you don't need an extension DLL to do this, it's
> built right into IAS
>
> Please respond back with some additional information on what you're trying
> to accomplish, and we'll be more than happy to help out
>
> Thanks
>
>
> --
>        ========================================
=====
>   This posting is provided "AS IS" with no warranties, and confers no
> rights.
>        ========================================
=====
>
> "emq" <nospam_emquiros@terra.es> wrote in message
> news:%23B5A20qtEHA.444@TK2MSFTNGP10.phx.gbl... 
accomplish[vbcol=seagreen] 
in[vbcol=seagreen] 
>
>

[ Post a follow-up to this message ]

OK, I have just seen what I needed...

I only had configured the Default policy configured, allowing only users
with the Dial-in propety activated...

"emq" <nospam_emquiros@terra.es> escribió en el mensaje
news:uRnKAr0tEHA.1452@TK2MSFTNGP11.phx.gbl...
> Well, we have configured a VPN access from Internet to our network through
> the Firewall PIX for all users...
>
> Also we have configured  wireless access, for security we have installed
it
> in another VLAN outside the enterprise, a user connected to this VLAN can
> access to internet but only can access to intranet through a VPN
connection.
> I want  to give different permissions to different users.
> Also we want to create specific VPN to access specific machines for users
> that don't belong to our enterprise, in example: customer support for
> especific machines...
>
> We also have a public library with some PCs inside with a local user for
> everybody, we want that users could access to internet only if they
> introduce a number that is in the visit cards that they receive at the
> entrance...
>
> We need different policies and I believe that it should be easily
> administrable if  I could read the membership to a group...
> A users that belongs to a AD group can access to an specific machine, a
> users that belongs to another group can access to all machines...
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> escribió en el mensaj
e
> news:OyAHdAztEHA.3252@TK2MSFTNGP10.phx.gbl... 
> you're 
it's[vbcol=seagreen] 
trying[vbcol=seagreen] 
more...[vbcol=seagreen] 
> accomplish 
> in 
>
>

[ Post a follow-up to this message ]

Alright, this is a little complex, but most of it is doable. The part that
is hard to do is the one time accounts. This will take a little more work
(you will need to write an application to do some of the work, or look into
deploying Windows provisioning services WPS for it)
Now, to restrict specific group to specific addresses, what you can do is
apply IP Filters. The way to do this is by creating groups in your AD, add
users to the right group.
Then on the IAS server, you will need to create multiple policies, one for
each type of groups. In the policy profile, you will add IP Filters that
will restrict access to specific locations
I am not sure if PIX support this (I mean IP Filters, but if it didn't you
can use RRAS as your VPN server and it will take care of this for you)

So, once your users are on the wireless LAN, they can VPN to your VPN
server. When they authenticate with the VPN Server, they receive a set of IP
Filters. These filters will allow them access to specific locations in your
Intranet or to all resources for the group that is supposed to access
everything

Hope this helps

I know the answer is a little bit messy, it would help much if you can send
a separate question to each problem, it would make the answers more precise
and more related to the problem


--
 ========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
 ========================================
=====

"emq" <nospam_emquiros@terra.es> wrote in message
news:uRnKAr0tEHA.1452@TK2MSFTNGP11.phx.gbl...
> Well, we have configured a VPN access from Internet to our network through
> the Firewall PIX for all users...
>
> Also we have configured  wireless access, for security we have installed
> it
> in another VLAN outside the enterprise, a user connected to this VLAN can
> access to internet but only can access to intranet through a VPN
> connection.
> I want  to give different permissions to different users.
> Also we want to create specific VPN to access specific machines for users
> that don't belong to our enterprise, in example: customer support for
> especific machines...
>
> We also have a public library with some PCs inside with a local user for
> everybody, we want that users could access to internet only if they
> introduce a number that is in the visit cards that they receive at the
> entrance...
>
> We need different policies and I believe that it should be easily
> administrable if  I could read the membership to a group...
> A users that belongs to a AD group can access to an specific machine, a
> users that belongs to another group can access to all machines...
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> escribió en el mensaj
e
> news:OyAHdAztEHA.3252@TK2MSFTNGP10.phx.gbl... 
> you're 
> accomplish 
> in 
>
>

[ Post a follow-up to this message ]