Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
1
Replies

Documentation on how to grant "VPN","Wireless" access to Windows group

news2010a
Level 3
Level 3

‎07-14-2006 06:34 AM - edited ‎03-10-2019 02:39 PM

Win2003 active directory.

I am planning to create a Windows security group (global) "WirelessUsers" and a group named "VPNUsers".

Then I would need to go to ACS 3.3 and need to configure mapping to allow such groups to access wireless and VPN respectively. Users which are not members of such groups should not have access to VPN or wireless.

Few questions

1) Can you point me to a documentation which shows a similar configuration ?

I have browsed the Cisco website and so far I have seen the section "Set group membership" http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335ee.html

But I did not see "how to" sections showing how I can grant VPN or wireless permissions for a certain Windows active directory security group.

2) I see that the latest version of ACS is 4.0 ? Anyone out there is using ACS 4.0, is that a stable product or should I be OK with ACS 3.3 ?

Labels:
0 Helpful
1 Reply 1

annnguy
Level 1
Level 1

‎07-14-2006 07:55 AM

Essentially what you will have to do is create Network Access Restrictions for each group in ACS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

So for example, you have two AD groups and two ACS groups: AD_VPN and AD_Wireless, ACS_VPN and ACS_Wireless.

If you're Database Group Mapping, you'll have:

- AD_VPN maps to the ACS_VPN group

- AD_Wireless maps to the ACS_Wireless group

Then in your ACS_VPN group, you would create a network access restriction which states that users in this group can ONLY authenticate to your VPN headend. Similarly with wireless, the ACS_Wireless group has it's own NAR that restricts access to only Wireless APs.

So what happens is, when a user who is only in the AD_VPN group in Active Directory tries to VPN in, he/she gets mapped to the ACS_VPN group, authenticates successfully, and is given VPN access. If this same user tries to log into wireless, he/she will still get mapped to the ACS_VPN group, but because of the NAR applied to that group, will be denied access. Similarly, this goes for wireless users.

I hope this is the functionality that you were looking for.

Sincerely,

Annie

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents