VPN authenticating to active directory, how to restrict users

Unanswered Question
Jun 5th, 2007

i currently have my ASA authenticating VPN users against the active directory in conjunction with the Cisco VPN Client. I got this working great but it seems like anyone with the client is able to authenticate. In active directory under the dial-in tab for a user there is a Remote Access Permission

there are options for Allow Access

Deny Access

Control through remote access

if i have deny selected they can still vpn in.

PLease tell me if there is any way to accomplish this or a workaround. thanks


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thult Tue, 06/05/2007 - 06:08

Normally, you configure the IAS profile for a specific AD-group. Please check if the user is a member of that group.

dbakula01 Tue, 06/05/2007 - 06:28

the vpn group specified in IAS does not have the user account i can connect with. here is my config for this

aaa-server IAS protocol nt

aaa-server IAS host

nt-auth-domain-controller dcpdc

the authentication protocol is NT, i dont know if that helps

froggy3132000 Wed, 06/06/2007 - 01:35

He is talking about on your IAS server. Check your configuration of your Windows box, your answer is there.

guibarati Mon, 06/18/2007 - 09:32

I can tell you i'm almost sure there is no document good enogh to explain you that at cisco.com, so i've done a document by myself, i'm sorry it's on portuguese ( my lenguege) you can use some translator to understand it.

There is no explanation for IAS configuration in this document, but you said you have it already

Please hate the post if helps.

dbakula01 Mon, 06/18/2007 - 09:38

thanks for your post, but i got it just after posting this. The problem with using the aaa-server protocol nt

is that it uses ntlm authentication but no authorization. I ended up using radius for this since it is able to use both authentication and authorization. that was my issue


This Discussion