VPN Client with NT Domain specific group Authentication !

Unanswered Question
Jan 25th, 2008

I was able to integrate NT Domain authentication for the VPN clients, however I need to know if I can restrict this Authentication to a particular User group in the NT. All other users should not be allowed to VPN in.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mparella Mon, 01/28/2008 - 16:51

I have the same question. Did you ever get an answer to this? Is there a way to limit which users in AD can access VPN?

pengfang Mon, 01/28/2008 - 22:38

Yes,you can achieve this but has to involve Radius server for authorization, the simplest way is using Microsoft IAS as Radius server and AD/NT Domain for credential authentication.The key concept is :

1. On IAS server,the user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.

2. The connection attempt is authorized with both the dial-in properties of the user account and remote access policies.

3. If the connection attempt is both authenticated and authorized, the IAS server sends an Access-Accept message to the access server.

4. If the connection attempt is either not authenticated or not authorized, the IAS server sends an Access-Reject message to the access server.

For example, you have 3 groups under DC, IT, Engineering and Finance, you want only IT and Engineering can access VPN, so you need to enable these 2 group can access VPN through "dial-in properties", for Finance group user, they can't access VPN because of failure of authorization.

The reason choosing Radius is : Not all of the possible authentication and authorization methods available in PIX/ASA 7.x software are supported when you deal with VPN users. This table details what methods are available for VPN users:


Authentication Yes Yes Yes Yes Yes Yes No

Authorization Yes Yes No No No No Yes

Check followed two links and attached diagram, it might help.





This Discussion