04-02-2009 08:48 AM - edited 03-06-2019 04:57 AM
I have a VPN 3000 and currently it authenticates against my domain controller. Is there a way to have it only allow access if they have an account in the Domain AND be a member of a security group in the domain??? I would like to stop users from getting the client and being able to remote in if they have a general domain user account. There are too many users to manage locally on the concentrator.
Thanks in advance,
Gene
Solved! Go to Solution.
04-02-2009 09:45 AM
You should look under authentication in your concentrator. (I haven't worked on one in a while, so I'm flying blind on this one.) Somewhere under there it will say RADIUS server, and it will have an ip address (if you're using it). If that server has "Internet Authentication Service" (IAS) under Administrative Tools, then that's your RADIUS server. You could have some other piece of software though because there a a lot of RADIUS servers available.
If it's IAS, then under the settings when you modify the properties, you'll see policies. Under those policies, groups are added and permitted or denied based on membership.
Here's a step-by-step link:
HTH,
John
04-02-2009 08:51 AM
It's been a while since I've messed with IAS, but you should be able to deny members unless they are a member of a group. This falls back on your RADIUS server though and not the concentrator.
HTH,
John
04-02-2009 09:39 AM
Good Point. I am not sure if someone has done this setup. I am new to this VPN, so I am not sure if it is authenticating through a radius, or just doing a straight LDAP authentication just to verify they have a user account on the domain. (not very secure as this will let in anyone that has an account)
Any other suggestions will be welcome..
Thanks
Gene
04-02-2009 09:45 AM
You should look under authentication in your concentrator. (I haven't worked on one in a while, so I'm flying blind on this one.) Somewhere under there it will say RADIUS server, and it will have an ip address (if you're using it). If that server has "Internet Authentication Service" (IAS) under Administrative Tools, then that's your RADIUS server. You could have some other piece of software though because there a a lot of RADIUS servers available.
If it's IAS, then under the settings when you modify the properties, you'll see policies. Under those policies, groups are added and permitted or denied based on membership.
Here's a step-by-step link:
HTH,
John
04-02-2009 10:00 AM
Just logged back in to confirm. Only using NT domain Authentication servers, which I was afraid of.
Do you think you can remember if in this list, does it only use the top most server, or will it attempt to authenticate from top to bottom, ie try each server until it gets a hit, and if not, and the last is Internal, try the internal database?
And if you can remember that, how about this,
if it finds the username on the first listed server, but the password doesnt match, will it go through the list until it hits the internal database where the password does match? (if the password for the account is different on the domain than the local VPN database)
Thanks for the input!!!!
Gene
04-02-2009 10:14 AM
Gene,
I think it works like aaa authentication in that it won't check then next one in the list if the first one responds.
If you're using domain authentication, why don't you convert to RADIUS? It still uses the same accounts, so I wouldn't think there would be any problems with converting to IAS.
Oh, and for your last question, no, if the first username passes, but the password fails, then it's considered a failed login and it will kick back a user login screen again. It won't continue through the list.
HTH,
John
04-02-2009 12:01 PM
John,
I agree and by all means will do this. As soon as we complete an ISP cutover on Friday. Have to get IAS set up, then cut-over. Should not be too much of an issue. I did this with an Aruba appliance and Steel-Belted Radius, so it should be similar (I hope) Thanks for all your information...
Gene
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide