Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
6
Replies

VPN 3000 authentication against Windows AD controller???

Go to solution
uhl_frederick
Level 1
Level 1

‎04-02-2009 08:48 AM - edited ‎03-06-2019 04:57 AM

I have a VPN 3000 and currently it authenticates against my domain controller. Is there a way to have it only allow access if they have an account in the Domain AND be a member of a security group in the domain??? I would like to stop users from getting the client and being able to remote in if they have a general domain user account. There are too many users to manage locally on the concentrator.

Thanks in advance,

Gene

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to uhl_frederick

‎04-02-2009 09:45 AM

You should look under authentication in your concentrator. (I haven't worked on one in a while, so I'm flying blind on this one.) Somewhere under there it will say RADIUS server, and it will have an ip address (if you're using it). If that server has "Internet Authentication Service" (IAS) under Administrative Tools, then that's your RADIUS server. You could have some other piece of software though because there a a lot of RADIUS servers available.

If it's IAS, then under the settings when you modify the properties, you'll see policies. Under those policies, groups are added and permitted or denied based on membership.

Here's a step-by-step link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
6 Replies 6

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎04-02-2009 08:51 AM

It's been a while since I've messed with IAS, but you should be able to deny members unless they are a member of a group. This falls back on your RADIUS server though and not the concentrator.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
uhl_frederick
Level 1
Level 1
In response to John Blakley

‎04-02-2009 09:39 AM

Good Point. I am not sure if someone has done this setup. I am new to this VPN, so I am not sure if it is authenticating through a radius, or just doing a straight LDAP authentication just to verify they have a user account on the domain. (not very secure as this will let in anyone that has an account)

Any other suggestions will be welcome..

Thanks

Gene

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to uhl_frederick

‎04-02-2009 09:45 AM

You should look under authentication in your concentrator. (I haven't worked on one in a while, so I'm flying blind on this one.) Somewhere under there it will say RADIUS server, and it will have an ip address (if you're using it). If that server has "Internet Authentication Service" (IAS) under Administrative Tools, then that's your RADIUS server. You could have some other piece of software though because there a a lot of RADIUS servers available.

If it's IAS, then under the settings when you modify the properties, you'll see policies. Under those policies, groups are added and permitted or denied based on membership.

Here's a step-by-step link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
uhl_frederick
Level 1
Level 1
In response to John Blakley

‎04-02-2009 10:00 AM

Just logged back in to confirm. Only using NT domain Authentication servers, which I was afraid of.

Do you think you can remember if in this list, does it only use the top most server, or will it attempt to authenticate from top to bottom, ie try each server until it gets a hit, and if not, and the last is Internal, try the internal database?

And if you can remember that, how about this,

if it finds the username on the first listed server, but the password doesnt match, will it go through the list until it hits the internal database where the password does match? (if the password for the account is different on the domain than the local VPN database)

Thanks for the input!!!!

Gene

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to uhl_frederick

‎04-02-2009 10:14 AM

Gene,

I think it works like aaa authentication in that it won't check then next one in the list if the first one responds.

If you're using domain authentication, why don't you convert to RADIUS? It still uses the same accounts, so I wouldn't think there would be any problems with converting to IAS.

Oh, and for your last question, no, if the first username passes, but the password fails, then it's considered a failed login and it will kick back a user login screen again. It won't continue through the list.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
uhl_frederick
Level 1
Level 1
In response to John Blakley

‎04-02-2009 12:01 PM

John,

I agree and by all means will do this. As soon as we complete an ISP cutover on Friday. Have to get IAS set up, then cut-over. Should not be too much of an issue. I did this with an Aruba appliance and Steel-Belted Radius, so it should be similar (I hope) Thanks for all your information...

Gene

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card