How do I block a user from VPN'ing in while AD is used for authentiction

Answered Question
Aug 3rd, 2010
User Badges:

We currently use Active Directory to authenticate through IPsec VPN.


Employee was let go..so his AD account was disabled


However, he has another AD username and password that can not be disabled since it

is being used under other services


Our entire company is under one Group Policy


My question is.how would I block him from accessing the network.?

Correct Answer by Rahul Govindan about 6 years 8 months ago

No you wont have to configure any new group-policy. All you have to do is create a create a dap policy saying that if a user comes with this attribute from radius or ldap (username in ur case) apply a certain policy ( terminate ) to it. For rest all users, since they don't match that criterion, they will hit the default dap policy which will alow them normally without applying any policy for them.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rahul Govindan Tue, 08/03/2010 - 07:56
User Badges:
  • Silver, 250 points or more

you could use DAP to block that user from authenticating succesffuly. Create a policy to match the user attribute( say sAMAccountName for ldap) and terminate as policy action. For rest of the users, you could use a continue action in the default policy which should allow normal authentication and authorization.


For details on DAP.


http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

nygenxny123 Tue, 08/03/2010 - 08:25
User Badges:

from the looks of it..I may have to configure an entire new group policy?


however this could impact currrent users

Correct Answer
Rahul Govindan Tue, 08/03/2010 - 08:41
User Badges:
  • Silver, 250 points or more

No you wont have to configure any new group-policy. All you have to do is create a create a dap policy saying that if a user comes with this attribute from radius or ldap (username in ur case) apply a certain policy ( terminate ) to it. For rest all users, since they don't match that criterion, they will hit the default dap policy which will alow them normally without applying any policy for them.

Actions

This Discussion