Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
2
Replies

assign vpn users to different groups/ip-pools & NT domain authentication

aduerr
Level 1
Level 1

‎01-16-2004 03:47 AM

hi,

I`d like use a 3015 concentrator for remote access vpn with Microsoft machine certificates, different groups on the 3015 and xauth against (local) internal userdatabase and afterwards I`d like to change xauth internal against a NT domain.

How could I map users to their designated groups on the concentrator if they authenticate against the domain and not anymore against internal ?

Labels:
0 Helpful
2 Replies 2

shannong
Level 4
Level 4

‎01-16-2004 03:16 PM

The concentrator itself, Cisco ACS, and MS IAS can all provide authentication against an NT domain. If you want granular, sophisticated control over the users session, ACS is the best choice.

For group mathcing when using certificates, the OU in the certificate by must match a VPN concentrator group that the user will be authenticated with.

A more flexible option is to use the RADIUS IETF attribute #25 [Class]. The ACS server can be used to determine which group the user should belong in by checking to see if that users exists in a group you specify in the domain. You can then pass the value "ou=somegroup" to the concentrator when authenticating users. The VPN concentrator will apply the supplied group to the user regardless of which group they initially authenticate with. This is really easy with Cisco ACS, but I don't think MS IAS can pass this attribute correctly to the VPN concentrator, but I don't know this for a fact.

ACS can also tell the concentraotr what encryption methods to use for the user/group, what their filter/acl for access is, what the firewall rules should, and pretty much anything else you can define in a group on the concentrator. This means you don't even need multiple concentrator groups. You create one or two concentrator groups and let ACS hand out all relevant information about that user's/group's session based on their membership in an NT group.

0 Helpful

haleemk
Level 1
Level 1

‎01-18-2004 11:57 PM

Hi,

I have 3030 and I want MS 2000 Active directory to authenticate remote users instead using internal authentication.When I add 2000 Server as external authentication and test it fails.Problem is now that for every user we have to create an account in 3030 instead of using same active directory account.

Pl help

Thanx

0 Helpful
Customers Also Viewed These Support Documents