Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4201
Views
0
Helpful
4
Replies

Restrict some users to access VPN

Go to solution
chicagotech
Level 1
Level 1

‎08-26-2013 07:17 PM

We setup Cisco VPN using Cisco ASA in our windows 2008 Domain network. That works fine. All our domain users can establish the VPN right now. We would like to make a change. We want to restrict some users such as volunteers and part time employees to access the VPN. I was thinking to remove the domain users from the VPN and create a VPN group which excludes above mentioned users. The problem is we don’t want to add each new user to the VPN group. Can we keep domain users as VPN users but restrict some users? If yes, how?

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
czaja0000
Level 1
Level 1

‎08-27-2013 01:48 AM

Hi,

Look at this document:

https://supportforums.cisco.com/docs/DOC-13713

________________

Best regards,
MB

________________ Best regards, MB

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-27-2013 02:11 AM

as outlined in the document linked by MB, there are different ways to achieve that. I prefer another way:

  • The default group-policy that is attached to the tunnel-group disallows all communication.
  • On the Windows-RADIUS-Server I have profiles for each different user-group I want to distinguish. In the profile I match on the normal domain-groups and a new Group "VPN-Users" where all Users are members that should get access.
  • In the RADIUS-profile I set the attribute 25 (class) with the right group-policy for that user. The group policies are configured locally on that ASA.

With that it is quite easy to give VPN-Access to only that users that should have access and make sure that they get the right access based on their domain-group.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
czaja0000
Level 1
Level 1

‎08-27-2013 01:48 AM

Hi,

Look at this document:

https://supportforums.cisco.com/docs/DOC-13713

________________

Best regards,
MB

________________ Best regards, MB
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-27-2013 02:11 AM

as outlined in the document linked by MB, there are different ways to achieve that. I prefer another way:

  • The default group-policy that is attached to the tunnel-group disallows all communication.
  • On the Windows-RADIUS-Server I have profiles for each different user-group I want to distinguish. In the profile I match on the normal domain-groups and a new Group "VPN-Users" where all Users are members that should get access.
  • In the RADIUS-profile I set the attribute 25 (class) with the right group-policy for that user. The group policies are configured locally on that ASA.

With that it is quite easy to give VPN-Access to only that users that should have access and make sure that they get the right access based on their domain-group.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
chicagotech
Level 1
Level 1
In response to Karsten Iwen

‎08-28-2013 06:20 AM

Your should work, but I find the simple solution by disable dial-in in Active Directory users and computers:

How to setup to deny VPN access on a user - Step by step with screenshots - http://www.howtonetworking.com/VPN/vpnpermission1.htm

0 Helpful

Go to solution
ChiragMehta6247
Level 1
Level 1
In response to Karsten Iwen

‎07-06-2020 05:29 AM

The link provided here doesn't work. Is there another working link to a step document

0 Helpful
Customers Also Viewed These Support Documents