Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2890
Views
0
Helpful
1
Replies

Issues with VPN and Active Directory "Log On To" user restrictions

msoultan562
Level 1
Level 1

‎09-29-2010 10:26 AM

Hello,

I don't have too many details about the exact system that our IT department is running, but hopefully I have enough information such that all of you might be able to help me out.

On our campus, we have Active Directory and we also have a Cisco VPN (trying to find out the exact appliance model number).  To log into our VPN, we can use our Active Directory domain logins and that all works great.  Since I am somewhat unfamiliar with Cisco systems, I'm guessing that this is through some kind of connection between the two systems (LDAP?).

I just ran into a hiccup lately where one of my domain accounts wasn't allowed to log in.  Upon further research we found that the domain account has "Log On To" restrictions set in the user account.  For those of you that aren't familiar with this setting, when editing an  Active Directory user, there is an option under the user preferences  called "Log On To".  When you press that button, you are presented with a  dialog in which you can specifically identify to which computers that user  account is allowed in to.  For one reason or another, the VPN system is not allowing the user to log in to the VPN because it's not part of that list.

Here's the deal - I'm not looking for a work-around because we can just as easily create another account that doesn't have those "Log On To" restrictions (but that opens up security holes, which is why we don't want to do it).  Instead, I'd like to find out if there's a way for that account to authenticate through the VPN while keeping those "Log On To" restrictions in place.  For some reason the VPN is honoring those restrictions and I'd like to know why so that I can pass this information on to our IT staff so that we can apply the change (if it's even possible).

In the mean time, I'll see what other information I can get about our system.  Please let me know if you need any more specifics about our setup and I'll see what I can get.

thanks!

Mike

1 person had this problem
Labels:
0 Helpful
1 Reply 1

msoultan562
Level 1
Level 1

‎09-29-2010 11:45 AM

I just got a message from the VPN admin and he said the VPN is "returning an error code of 'Invalid Password'".  He seems to think that the decision is getting made at the AD level and not at the VPN.  Oddly, it's not the incorrect password because when you remove the computers from the "Log On To" list, it authenticates just fine.

Unless someone has any ideas, it looks like we're going to have to create a specific VPN account without any logon restrictions... bummer.

0 Helpful
Customers Also Viewed These Support Documents