Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
6
Replies

PIX v7 VPN authentication w/ Active Directory

zaballa805
Level 1
Level 1

‎03-12-2007 07:36 AM

Hi!

I just got the VPN client connecting into the PIX authenticate direct to Active Directory. ( No radius in between)

My problem is we want to selectively give VPN access to users in the AD. Right now, everyone in the AD can log-on via VPN client.

in the PIX-RADIUS-AD setup (pix v6), i know that this can be done by using the Dialin Tab to allow VPN access. We want to use this also in this case to allow VPN access.

We do not want to rearrange our user groups in the AD.

Does anyone have a similar experience?

Thanks.

Labels:
0 Helpful
6 Replies 6

kaachary
Cisco Employee
Cisco Employee

‎03-12-2007 09:22 AM

On AD, Under Remote Access policy the option to allow/disallow dial in access is there. Works for Kerberos as well.

-Kanishka

0 Helpful

zaballa805
Level 1
Level 1
In response to kaachary

‎03-12-2007 10:39 AM

Hi Kanishka,

Thanks for the prompt reply. question. Isn't this the same as choosing the Allow access in the Dial-in Tab in AD?

I'm using Cisco VPN client 4.x to connect to the PIX. When I click on the Deny access in the Dial-in Tab, I'm still allowed to access the VPN.

- bing

0 Helpful

acomiskey
Level 10
Level 10
In response to zaballa805

‎03-12-2007 10:49 AM

If you have it configured properly, on the Dial In tab under the users properties, check Allow or Deny access. If all else is set up properly you will receive the following in your System logs in event viewer for the deny access permission....

Reason-Code = 65

Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.

Are you running IAS?

0 Helpful

zaballa805
Level 1
Level 1
In response to acomiskey

‎03-12-2007 10:59 AM

no i'm not running IAS.

I'm using this link to configure the PIX with AD. there's no RADIUS or IAS in between.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b318.html

it seemed that the Allow or Deny Access doesn't matter. I'm authenticated regardless of the choice i make in the Dial In tab (user properties)

it SEEMED, that in this scenario, the AD treats the PIX as an ordinary host logging in to AD and therefore does not treat it as a dial-in client. i.e. the Allow/Deny access doesn't take effect.

appreciate your help on this matter.

Thanks!

0 Helpful

dbakula01
Level 1
Level 1
In response to zaballa805

‎06-13-2007 04:51 PM

ok, i just finished this problem up today, when you use the "protocol nt" command in the aaa-server i believe it just querys the directory. I always got had the same problem. I also found an article that says nt performs only authentication, not authorization. That is why it cannot read windows groups. Set the aaa-server protocol to radius and then it will be able to read windows group specified in the IAS policy. This is the ONLY WAY to do this since it provides both authentication and authorization. Otherwise you can use a kerberos/ldap combo to work, but i thought the config was tough.

i will post my configs in the morning tomorrow if you need them

0 Helpful

smunzani
Level 1
Level 1
In response to dbakula01

‎07-06-2007 08:57 PM

Can you please post your configs? It will surely help me.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents