VPN 3030 & ACS 4.0

Unanswered Question

Hello All,

I need some guidance as I am not fully understanding how this works or if it's going to work as I would like it to.

We have a NT domain and RADIUS server living in our DMZ that is beginning to die. We also have ACS 4.0 setup inside our network to provide AD authentication for our network devices. It is already AD integrated and woking fine in that respect. We also have local users for the purpose of access for consultants and contractors without AD accounts

Our desire is to move the NT domain and server out to pasture and use the ACS to provide Radius authentication to the VPN 3030. I have enabled the VPN 3000 attributes and have created a VPN group in ACS. However, - and this is the part my confusion begins to creep in - How do I limit VPN authorization by AD groups. We have specific groups that are allowed VPN access. Not everyone is allowed to use the VPN. How do I pass those controls through with the ACS Radius server?

And other than pointing the VPN Concentrator to the ACS and creating the groups and Net Devices in ACS, what else are the 'gotchas'?

Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Jagdeep Gambhir Mon, 06/18/2007 - 12:33

Hi Jim,

So you want non VPN users should not be allowed to access VPN ? If that is the case then you can use NAR's feature in ACS,


User---> ACSnonVPN group----->ADnonVPNgroup

In ACSnon VPN group we will apply NAR's that will deny access to VPN box.

So nonvpn user won't be able to login using VPN



darpotter Mon, 06/18/2007 - 23:30

NARs are definately one way.. but.. if you're already using your ACS for another part of the network you could consider this with ACS v4.0:

Create a NAP for just the VPN box. Each NAP has its own external authentication config that works in the same way as the global one.

In the NAP-specific group mappings you can select just the AD groups that should have VPN access - everything else gets mapped to "No Access".

This avoids "pollution" of your existing group configs. If you've not used NAPs before the UI can take a little getting used to (ahem) however worth a look.


This Discussion