VPN Authorization to Active Directory group

matt.orlando · ‎11-29-2004

Hello,

I am currently in the process of attempting to setup my company's new Cisco 3020 VPN Concentrator.

Is it possible to setup the following scenario?

User starts up Cisco SW VPN client (or WebVPN). They use a group name and password setup on the VPN Concentrator to go through IKE phases. They are then prompted for a username and password, where the user can enter their LAN user/pass from our Active Directory structure. The VPN concentrator then looks to see if the user is in a specific group in AD, called VPN_USERS. If not, they are denied access. If so, they are allowed access.

Is this scenario possible? If not, what are my alternatives? I want to make this as easy as possible for our users, but make the setup fairly straightforward as well. I have been looking at LDAP authorization, but I am unsure if that is what I am attempting to do.

Please help with whatever information to shed light on this.

Thank you,

Matt Orlando

thisisshanky · ‎11-29-2004

Yes, its possible. You will need a device called the Cisco Secure ACS server, which is a software solution that runs on Windows 2k or 2k3 on a server platform. ACS is nothing but a beefed up version of Radius/TACACS+ authentication, authorization software. It lets you integrate AD users into the system. Any radius authentication or authorization request send from a device like a router, pix firewall, vpn concentrator or any other cisco equipment can be permit/denied based on the user/group setting. You can import all the AD users into ACS through LDAP.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

TylerB11 · ‎12-16-2004

Matt,

I have a similar setup. you don't need a ACS server. Just use windows IAS (Internet Authentication Service) with RADIUS. The instructions are on this site, under the configuration examples for the 3020.

Very easy.