Share via

Always On VPN separate IP pools per user group

Victor G 21 Reputation points
2020-08-12T20:54:28.23+00:00

Hello experts,

I configured Always On VPN servers in AWS; everything works almost without any issues, but the problem is having separate IP pools per user group. This can be easily achieved with Vlans if using real hardware, as the NPS will send the vlan id to the RRAS server. But AWS does not support that, so how can I split the IP allocation, based on user groups? I don’t want to setup multiple VPN servers to have different IP pools with different restrictions…and right now I am out of decent ideas.

On Cisco ASA we have this and it works perfectly, users are prompted to select the VPN profile upon connection

Thanks in advance!

Best,
Victor

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
518 questions
0 comments
Accepted answer
  1. Gloria Gu 3,891 Reputation points
    2020-08-13T06:46:05.39+00:00

    Hi,

    According to your issue, here're my suggestions:

    To achieve 'Always On VPN separate IP pools per user group',the network devices should support VLAN feature. Then we can set RADIUS server with specifying user group and the compounding VLAN ID in network policy. It will automatically assign the port that computer connects with into the VLAN base on the ID we specified in policy and obtain the address where issued form the DHCP server.

    However, the environment in AWS don't support VLAN. It seems that you should switch to an environment which support VLAN feature to achieve this purpose or use other third-party application such as Cisco as you mentioned.

    The following links are case similar to your issue, you can refer to:
    https://social.technet.microsoft.com/Forums/en-US/420c26c7-79c4-44e9-b6e1-d386fb0d022f/remote-access-separate-ip-pools-per-user-group?forum=winserverNIS
    https://social.technet.microsoft.com/Forums/en-US/0a45e460-5284-4517-b772-9c99d4b8380c/can-dhcp-scopes-selected-based-on-users-ou-or-any-other-attribute-of-the-user-account?forum=winserverNIS

    -------If my answer is helpful to you, please remember to mark them as answer. Thank you!------

    Regards
    Gloria

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Victor G 21 Reputation points
    2020-08-13T11:20:42.207+00:00

    Thanks Gloria,

    In the end it looks like I have to host the VPN server somewhere else....

    Best,
    Victor