RADIUS Authentication (multiple access policies in IAS?)

[James Bond]

I have a couple Windows servers running IAS. One server is ours, and one server is a clients.

On our server, I have an access policy that says "only users in group X are granted access".
On the customer server, I have an access policy that says "All users in this domain are granted access".

For us, RADIUS is being used for authentication to our routers.
For our customer, RADIUS is being used for (remote access) VPN client connections.

So far, everything is working fine.

Today, though, I decided to create a new VPN group which is only for our employees. Our VPN group will have access to more subnets than the customer VPN group.

Here is my problem: If I use the RADIUS connection we already have (to our server), only users in "group X" can be authenticated. I want to allow access to everyone in our domain. Is it possible to create a new access policy which allows access to everyone in the domain? How would the router distinguish between the two access policies and know which one to use?

Maybe there is a better way to do this (freeRADIUS?)... Anyone know?

 

[jlazzaro]

you could distinguish in the IAS policy which device uses which policy using the Client-IP-Address (authenticating device) attribute. you have to get inventive in IAS when using a single server for multiple purposes.

for instance, to facilitate a regionalized router authentication policy i had to tag each device configured in IAS with a specific label (AMER, EMEA, APAC, etc). in the IAS policies, each regional policy matched the Client-Friendly-Name to the regional label in addition to a domain group.