08-22-2007 07:03 AM - edited 03-10-2019 03:20 PM
I have a setup where my VPN users hit the ACS server for user authentication - off of AD. What I am not sure of, is how to limit which users have VPN access.
All of the users would still need to authenticate for wireless (EAP) but be limited to either VPN access or No VPN access.
08-22-2007 07:12 AM
Solution would be to make use of CLI/DNIS NAR,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
Regards,
Prem
08-22-2007 08:21 AM
I have tried that and it does not seem to make a difference. If I add the AAA group (the firewall in this case) and add * for the CLI, DNIS, etc. it will still let me log into the VPN client as a user in that group.
Am I supposed to be putting something different in for the port, etc.?
08-22-2007 09:23 AM
I have the same problem. I haven't tested it yet but believe it will be in the lines of - create a new GPO in AD for VPN users. On the ACS you can do group mappings to specific AD groups and then limit it that way. But like I say I haven't tested it yet. If you do get it right please post your findings.
Thanks
Will
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide