There is a requirement to restrict IPSec access and confine it to a few users only.
The setup we have is VPN Concentrator 3015 4.7.2P--> ACS Solution engine 4.2 -->LDAP -->Windows AD.
The LDAP server has around 30-35 groups and we have a few of them only to allow access.
I am not sure of what is the best way to allow access to only a few users.
Currently, anyone having the group name and password can login. But we want to restrict IPSec access to only a few groups.
In response to this requirement, i had configured Radius authorization on vpn concentrator and i created a test ACS local group where i had configured a RADIUS attribute with a split tunnel access-list thats defined on the concentrator. This access-list is a dummy access-list that permits a small /29 subnet through the vpn. So, basically my idea was that i will restrict vpn control to specific users by having acs local groups mapped to ldap groups and then configure these local groups to push a Radius attribute 026\3076\027 "ipsec-split-tunnel-list" to the vpn concentrator.
This worked for me but the client wants a more finer solution in this regard. He wants something to the effect of denying a user at the authentication stage itself. Is it possible?
Would really appreciate any suggestions / pointers form this.
Thanks a lot