PIX v7 VPN authentication w/ Active Directory

Unanswered Question
Mar 12th, 2007
User Badges:


I just got the VPN client connecting into the PIX authenticate direct to Active Directory. ( No radius in between)

My problem is we want to selectively give VPN access to users in the AD. Right now, everyone in the AD can log-on via VPN client.

in the PIX-RADIUS-AD setup (pix v6), i know that this can be done by using the Dialin Tab to allow VPN access. We want to use this also in this case to allow VPN access.

We do not want to rearrange our user groups in the AD.

Does anyone have a similar experience?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Mon, 03/12/2007 - 09:22
User Badges:
  • Cisco Employee,

On AD, Under Remote Access policy the option to allow/disallow dial in access is there. Works for Kerberos as well.


zaballa805 Mon, 03/12/2007 - 10:39
User Badges:

Hi Kanishka,

Thanks for the prompt reply. question. Isn't this the same as choosing the Allow access in the Dial-in Tab in AD?

I'm using Cisco VPN client 4.x to connect to the PIX. When I click on the Deny access in the Dial-in Tab, I'm still allowed to access the VPN.

- bing

acomiskey Mon, 03/12/2007 - 10:49
User Badges:
  • Green, 3000 points or more

If you have it configured properly, on the Dial In tab under the users properties, check Allow or Deny access. If all else is set up properly you will receive the following in your System logs in event viewer for the deny access permission....

Reason-Code = 65

Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.

Are you running IAS?

zaballa805 Mon, 03/12/2007 - 10:59
User Badges:

no i'm not running IAS.

I'm using this link to configure the PIX with AD. there's no RADIUS or IAS in between.


it seemed that the Allow or Deny Access doesn't matter. I'm authenticated regardless of the choice i make in the Dial In tab (user properties)

it SEEMED, that in this scenario, the AD treats the PIX as an ordinary host logging in to AD and therefore does not treat it as a dial-in client. i.e. the Allow/Deny access doesn't take effect.

appreciate your help on this matter.


dbakula01 Wed, 06/13/2007 - 16:51
User Badges:

ok, i just finished this problem up today, when you use the "protocol nt" command in the aaa-server i believe it just querys the directory. I always got had the same problem. I also found an article that says nt performs only authentication, not authorization. That is why it cannot read windows groups. Set the aaa-server protocol to radius and then it will be able to read windows group specified in the IAS policy. This is the ONLY WAY to do this since it provides both authentication and authorization. Otherwise you can use a kerberos/ldap combo to work, but i thought the config was tough.

i will post my configs in the morning tomorrow if you need them


This Discussion