ASA5520+windows 2008R2 NPS系统集成实现ipsec vpn用户分权认证

ASA5520+windows 2008R2 NPS系统集成要点在于，需要使nps的radius认证成功后返回参数Class的值与ASA中已配置好的2个策略组：vpnclient_policy 和 ipsec_vpn_policy名称一致。

windows NPS配置重点如下：

配置windows 2008R2的Network Policies项目，
添加第一条策略ASA5520-vpn-it，重点是将settings里面的standard添加返回参数attributes name值为“Class” ，value值为 “OU=vpnclient_policy;”
添加第二条策略ASA5520，重点是将settings里面的standard添加返回参数attributes name值为“Class” ，value值为 “OU=ipsec_vpn_policy;”


ASA配置重点如下：
定义2个策略组：vpnclient_policy 和 ipsec_vpn_policy

group-policy vpnclient_policy internal
group-policy vpnclient_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value it@lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel

group-policy ipsec_vpn_policy internal
group-policy ipsec_vpn_policy attributes
dns-server value 10.75.131.65 219.148.204.66
group-lock value lncrland
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel

定义2个通道组：it@lncrland 和 lncrland

tunnel-group it@lncrland type remote-access
tunnel-group it@lncrland general-attributes
address-pool it_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy vpnclient_policy
tunnel-group it@lncrland ipsec-attributes
pre-shared-key *****
tunnel-group lncrland type remote-access

tunnel-group lncrland general-attributes
address-pool ipsec_vpn_pool
authentication-server-group ipsec_vpn_auth LOCAL
default-group-policy ipsec_vpn_policy
tunnel-group lncrland ipsec-attributes
pre-shared-key *****
!