Today, we got do deal with a particularly fun issue at work.

We currently have our VPN access points set up to authenticate against our Active Directory installation, so users aren’t having to remember multiple usernames/passwords for their VPN account as opposed to their domain account (I’ll gripe about our lack of “single user login” another day).

We also have it setup so any user within AD can auto-create a VPN account as needed (which is needed, as our internal wireless traffic is routed back through the VPN gateways, not 100% sure why?). Thus, the local authentication databases are beginning to get quite large, as our use of internal wireless is steadily increasing. Now, the trick is this:

How do auto-create accounts when it’s coming through the WAPs, but not when directly accessing the VPN gateway from the outside? We have two VPN servers, but they’re load balanced and their authentication databases are synch’d. Thus, it wouldn’t do any good to force the WAP traffic through one of the two.

Thoughts?