Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
7
Replies

VPN authenticating to active directory, how to restrict users

dbakula01
Level 1
Level 1

‎06-05-2007 05:11 AM

i currently have my ASA authenticating VPN users against the active directory in conjunction with the Cisco VPN Client. I got this working great but it seems like anyone with the client is able to authenticate. In active directory under the dial-in tab for a user there is a Remote Access Permission

there are options for Allow Access

Deny Access

Control through remote access

if i have deny selected they can still vpn in.

PLease tell me if there is any way to accomplish this or a workaround. thanks

Darren

Labels:
0 Helpful
7 Replies 7

thult
Level 1
Level 1

‎06-05-2007 06:08 AM

Normally, you configure the IAS profile for a specific AD-group. Please check if the user is a member of that group.

0 Helpful

dbakula01
Level 1
Level 1
In response to thult

‎06-05-2007 06:28 AM

the vpn group specified in IAS does not have the user account i can connect with. here is my config for this

aaa-server IAS protocol nt

aaa-server IAS host 192.168.1.5

nt-auth-domain-controller dcpdc

the authentication protocol is NT, i dont know if that helps

0 Helpful

froggy3132000
Level 3
Level 3
In response to dbakula01

‎06-06-2007 01:35 AM

He is talking about on your IAS server. Check your configuration of your Windows box, your answer is there.

0 Helpful

thult
Level 1
Level 1
In response to dbakula01

‎06-06-2007 01:11 PM

I usually use Radius myself.

The configuration would look like this:

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host "AD Domain controller"

This requires at least Windows 2000 servers that are running IAS.

Here is a link how to configure it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

0 Helpful

guibarati
Level 4
Level 4

‎06-18-2007 09:32 AM

I can tell you i'm almost sure there is no document good enogh to explain you that at cisco.com, so i've done a document by myself, i'm sorry it's on portuguese ( my lenguege) you can use some translator to understand it.

There is no explanation for IAS configuration in this document, but you said you have it already

Please hate the post if helps.

0 Helpful

dbakula01
Level 1
Level 1
In response to guibarati

‎06-18-2007 09:38 AM

thanks for your post, but i got it just after posting this. The problem with using the aaa-server protocol nt

is that it uses ntlm authentication but no authorization. I ended up using radius for this since it is able to use both authentication and authorization. that was my issue

0 Helpful

cquick11
Level 1
Level 1
In response to dbakula01

‎08-14-2007 11:08 AM

Did you make a radius server on windows 2000 or 2003?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents