Hello
Our environment – Active Directory forest level 2003, users dial-in properties are ignored, NPS server MS Windows 2008 R2 Enterprise Edition patched with all updates and used only for authentication, Watchguard VPN server XTM 510, software version 11.8.1. I want to allow access to network resources based on group membership. For example – members of domain group A have access only to servers/services A, members of group B have access only to servers/services B, etc. I configured watchguard server:
First I create global domain group VPN_SSL_IT_Admins, then I create connection request policy and network policy, both policies have the same Filter-Id parameter, which was the same as group name VPN_SSL_IT_Admins, then I create packet filter rules in VPN server, then I create the next domain group, next NPS policies, etc.
During testing I’ve found very strange problem – NPS server sends back to radius client (VPN server) two Filter ID attributes (hex code 0xb) in access accept message, although user is member only of one group. One filter ID attribute is correct, the other is always the same as the first policy (I didn’t test which policy need to be first – connection request or network policy). When I change the order of policies in NPS the Filter ID attribute is also changed.
I think this is security flaw because user has access to two network resources. As a workaround I create empty domain global group (no members), one connection request and one network policy in NPS, both policies were first in processing order. NPS still send two filter-id (0xb) attributes but connected user has only access to allowed network resources/services.
I've also prepared PDF document with pictures, if anyone is interested (NPS settings and network monitor captures).
Regards Milan