Hello,
I've been testing the remote access role on Windows Server 2008 R2 as a replacement for our current VPN solution and sofar it's been quite nice except for one major limitation that I can't find a way to overcome.
Our users are in different security groups which stand for different access permissions. That's why we need to use separate IP pools per security group so we can apply separate rules on our firewall per IP pool.
For example users in security group "IT" should get IP addresses 192.168.0.1 - 254 and users in security group "Workers" should get IP addresses 192.168.20.1 - 254. We could then allow access to IT administration networks for the IP range 192.168.0.1 - 254 in our firewall but restrict that access for the range "192.168.20.1 - 254".
However I can't find a way to make a certain security group get IP addresses only from a certain IP pool. I can create several IP pools in the remote access role but they're all used together for all users with IP addresses being taken from the first pool until its full.
With our old VPN solution I can make the radius return an IP pool name with the attribute "framed-pool", so I can have it return different IP pool names depending on the security group. The VPN gateway can then pick an IP pool based on that name. With the remote access role there seems to be no way to refer to an IP pool.
As a workaround I could install multiple remote access servers, but since we need a lot of different security groups I would end up with more than 20 servers to meet our requirements. The best I came up with sofar is assigning static IP addresses to each user in Active Directory, but this requires more administrative effort and is prone to errors. AD administrators (there's a lot of them) could also manipulate IP addresses on purpose to gain prohibited access.
If this isn't possible with the Windows remote access role does anyone know if it works with other solution like Cisco ASA? I really like the idea of using the Windows inbuilt VPN client instead of a 3rd party software.
So if I were to go for another vendor for the VPN gateway it would have to support L2TP over IPsec with separate IP pools per user group.
I hope someone can help with a solution or give me a definite answer on what is possible and what isn't.
Best regards
Dennis