at the moment we face the following issue. Within our SSG-140 we want to enable RADIUS authentiaction for VPN connections and the web admin interface. For each of these scenarios I find a lot of helpful implementation documentation. But what if you want both of them?
After a lot of testing we still have not found a solution but at least we narrowed the cause down to some nasty behaviour.
What we want is to have two user groups that can use VPN and/or can manage the firewall. For both of them I need a policy that sends back the required attributes to allow authentication. But only the first of both policies is evaluated. This is because MS Radius does not allow to set me an evaluation condition for the incoming attribute Ns-Access-Service-Type. This, according to Juniper documentation, shows if a web auth or a vpn access takes place.
So we only have the following conditions:
1. IF "user is in group <vpn_users>" AND "sending device has ip <ip of firewall>"
-> send back "allow VPN access".
2. IF "user is in group <admin_users>" AND "sending device has ip <ip of firewall>"
-> send back "allow admin access".
if an admin user is assigend to both groups. he can either manage the firewall or can use vpn. Whatever rule comes first. What we need would be something like that: