问题描述

亲爱的同事，

我们正在为VPN连接实现Azure MFA，并尝试为此配置NPS扩展.

We're implementing Azure MFA for our VPN connections and trying to configure NPS extension for that.

如官方指南中所述-如果我们希望我们的一些用户拥有MFA，而有些则没有，那么我们需要制造2台NPS服务器.

As it is said in official guide - if we want some of our users to have MFA and some not then we need to make 2 NPS servers.

在一个上安装NPS扩展，而不在另一个上安装，并配置客户端以进行相应的连接.

Install NPS extension on one and do not install on another and configure clients to connect accordingly.

https://docs.microsoft.com/zh-cn/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa

问题是我们要为这样的作业设置2个活动目录安全组.

The problem is that we want to have 2 active directory security groups for such a job.

但是我们不知道如何以及在何处配置这种重定向:

But we do not know how and where we can configure such redirection:

 -我们的VPN RADIUS客户端Cisco ASA可以将VPN RADIUS请求重定向到仅一台NPS服务器，

 - our VPN RADIUS client Cisco ASA can redirect VPN RADIUS requests to only one NPS server,

它无法进入我们的Active Directory并检查哪个组用户拥有，而且为什么我们需要半径

it can't go to our Active Directory and check which group user has, moreover then why we need radius

 -NPS RADIUS可以选择充当代理和重定向请求，但是没有安全组选项

 - NPS RADIUS has an option to act as proxy and redirect requests, BUT there is NO security group option

只有非常基本的属性，例如用户名模式，客户端ip.因此，我们无法按安全组重定向RADIUS请求

only very basic attributes like username pattern, client ip. So we can't redirect RADIUS requests by security group

https://docs.microsoft.com/zh-cn/windows-server/networking/technologies/nps/nps-crp-crpolicies#connection-request-policy-conditions

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-crpolicies#connection-request-policy-conditions

如何配置AD安全组对RADIUS请求的重定向?

How we can configure redirection of RADIUS requests by AD security group?

社区，请帮助！

谢谢！

BR，

尼古拉

推荐答案

这篇关于NPS扩展-配置多个NPS RADIUS服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！