IAS Policy with Pix

preston · ‎05-23-2005

I have a pix 501, with vpn users authenticating off of MS 2000 IAS. Works great although I want to filter a few users to only be able access a couple PC's when they come in through the pix.

I created a new group on NT called Vendors, added the users to that group. I then created a new remote access policy that when the IP of the pix is used, and the vendor group condition is met, to only permit traffic to a certain subnet.

The users in that group can still login, but they can get to all the subnets. Not sure what I am missing here, any help would be appretiated.

pradeepde · ‎05-27-2005

The following guide for managing remote access should give you an idea,

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/basclnt.htm

preston · ‎05-27-2005

I read through it, still a little curious on how this can work. The radius part is working, all of my users are authentication useing their MS2000 logins. What isn't working is group restrictions, again these are NT restrictions.

Currently as long as they are allowed to have remote access on the server they can get in. Regardless of what Remote access policy I put on the account it still seems to let them through.

I did stumble on something about how the Radius server needs to download an access list off the pix, and it can do this by adding an atribute on the Remote access settings within IAS. I haven't tried that method yet.

The only other thing I can think of is to have two groups, one local one through radius. All the users except the ones that need restrictions use radius.

Only catch to this, can the pix 501 handle 2 groups, and if it does, in what order does it authenticate, meaning does it look in local then go to radius or the opposite.