03-12-2007 07:36 AM
Hi!
I just got the VPN client connecting into the PIX authenticate direct to Active Directory. ( No radius in between)
My problem is we want to selectively give VPN access to users in the AD. Right now, everyone in the AD can log-on via VPN client.
in the PIX-RADIUS-AD setup (pix v6), i know that this can be done by using the Dialin Tab to allow VPN access. We want to use this also in this case to allow VPN access.
We do not want to rearrange our user groups in the AD.
Does anyone have a similar experience?
Thanks.
03-12-2007 09:22 AM
On AD, Under Remote Access policy the option to allow/disallow dial in access is there. Works for Kerberos as well.
-Kanishka
03-12-2007 10:39 AM
Hi Kanishka,
Thanks for the prompt reply. question. Isn't this the same as choosing the Allow access in the Dial-in Tab in AD?
I'm using Cisco VPN client 4.x to connect to the PIX. When I click on the Deny access in the Dial-in Tab, I'm still allowed to access the VPN.
- bing
03-12-2007 10:49 AM
If you have it configured properly, on the Dial In tab under the users properties, check Allow or Deny access. If all else is set up properly you will receive the following in your System logs in event viewer for the deny access permission....
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
Are you running IAS?
03-12-2007 10:59 AM
no i'm not running IAS.
I'm using this link to configure the PIX with AD. there's no RADIUS or IAS in between.
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b318.html
it seemed that the Allow or Deny Access doesn't matter. I'm authenticated regardless of the choice i make in the Dial In tab (user properties)
it SEEMED, that in this scenario, the AD treats the PIX as an ordinary host logging in to AD and therefore does not treat it as a dial-in client. i.e. the Allow/Deny access doesn't take effect.
appreciate your help on this matter.
Thanks!
06-13-2007 04:51 PM
ok, i just finished this problem up today, when you use the "protocol nt" command in the aaa-server i believe it just querys the directory. I always got had the same problem. I also found an article that says nt performs only authentication, not authorization. That is why it cannot read windows groups. Set the aaa-server protocol to radius and then it will be able to read windows group specified in the IAS policy. This is the ONLY WAY to do this since it provides both authentication and authorization. Otherwise you can use a kerberos/ldap combo to work, but i thought the config was tough.
i will post my configs in the morning tomorrow if you need them
07-06-2007 08:57 PM
Can you please post your configs? It will surely help me.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide