08-18-2006 03:50 AM
Hello all,
We have a Cisco VPN 3005 concentrator at our HQ. I have a group configured which uses NT domain authentication and it works fine. The problem is, as long as the user has a domain account, anybody can connect.
Is there a way to restrict access only to certain users from the NT domain ?
Thanks,
Stefan
08-18-2006 04:17 AM
If you used ACS between the VPN3000 and the DC then use, you could map AD groups on the ACS.
But if you go VPN3000 straight to DC, then I don't belive there's anything you can do the VPN3000. Unless there is something you can do on the DC, such as restricting dial-in access on the user account so that Windows fails the login.
08-18-2006 04:38 AM
Unfortunately we dont use ACS, the authentication is done directly via the active directory. But you gave me an idea.
We do have a internal LDAP server. I could create some users in this LDAP server then configure it as authorization server for my group on the concentrator. Then, hopefully, only users that are in my LDAP will be authorized and, after that, authenticated against AD. Will that work ?
Thanks,
Stefan
08-20-2006 11:18 PM
Just wanted to follow up on my message. We used an existing LDAP server and we solved the problem. All we had to do is create the needed objectClass in the LDAP server (as described at http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html ) and assign that to the users who need VPN access for. Then we configured the LDAP as an authorization server for the group in the VPN Concentrator and everything worked.
08-22-2006 01:56 PM
I'm not quite sure what you mean (authorisation comes after authentication) but I'm glad it works for you.
08-28-2006 11:48 PM
Yes, you're right. The user connects, authentication kicks in (against the NT domain, which will succeed for any valid username) and then we get to authorization. But this time only those users defined in LDAP (and with the VPN3005 objectclass attached) will be authorized.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide