Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
8
Helpful
3
Replies

VPN 3030 & ACS 4.0

jphilope
Level 3
Level 3

‎06-18-2007 12:14 PM - edited ‎03-10-2019 03:13 PM

Hello All,

I need some guidance as I am not fully understanding how this works or if it's going to work as I would like it to.

We have a NT domain and RADIUS server living in our DMZ that is beginning to die. We also have ACS 4.0 setup inside our network to provide AD authentication for our network devices. It is already AD integrated and woking fine in that respect. We also have local users for the purpose of access for consultants and contractors without AD accounts

Our desire is to move the NT domain and server out to pasture and use the ACS to provide Radius authentication to the VPN 3030. I have enabled the VPN 3000 attributes and have created a VPN group in ACS. However, - and this is the part my confusion begins to creep in - How do I limit VPN authorization by AD groups. We have specific groups that are allowed VPN access. Not everyone is allowed to use the VPN. How do I pass those controls through with the ACS Radius server?

And other than pointing the VPN Concentrator to the ACS and creating the groups and Net Devices in ACS, what else are the 'gotchas'?

Thanks in advance.

Jim

Labels:
0 Helpful
3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

‎06-18-2007 12:33 PM

Hi Jim,

So you want non VPN users should not be allowed to access VPN ? If that is the case then you can use NAR's feature in ACS,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp697095

User---> ACSnonVPN group----->ADnonVPNgroup

In ACSnon VPN group we will apply NAR's that will deny access to VPN box.

So nonvpn user won't be able to login using VPN

Regards,

Jagdeep

darpotter
Level 5
Level 5

‎06-18-2007 11:30 PM

NARs are definately one way.. but.. if you're already using your ACS for another part of the network you could consider this with ACS v4.0:

Create a NAP for just the VPN box. Each NAP has its own external authentication config that works in the same way as the global one.

In the NAP-specific group mappings you can select just the AD groups that should have VPN access - everything else gets mapped to "No Access".

This avoids "pollution" of your existing group configs. If you've not used NAPs before the UI can take a little getting used to (ahem) however worth a look.

jphilope
Level 3
Level 3
In response to darpotter

‎06-19-2007 04:45 AM

Gentlemen,

Thank you both for the ideas and paths. I will try both to see which works best for us.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents