I am pretty new to the VPN world and have a question about access to our network from remote users.
We have a Cisco VPN 3000 series. We have approximately 4000 employees. We want any employee to be able to be at home and have access to our network. I don't want to simply set up a 'employee' group and allow anyone to get access (although this would obviously be the easiest way to do it) through the VPN. If someone is fired or quits, we want to be able to stop that person from accessing our network. I also don't want to have to manage 4000 user accounts on the firewall, that would be a nightmare. Of course this solution is the one that my manager thinks is the best.
I have recently installed a Microsoft IAS server and have all my Cisco routers authenticating to it. Can I also use this server to allow different access levels to the users that want to access my network from home? If so, is it simply based on the users NT credentials (ie, Admin or user) or would I have to set up new accounts for them?
Also, another one of the options being floated around out there is to set up a certificate server and simply hand over a pre-formatted disk with certificate information to the people that want to use VPN. But again, we will not be able to control what happens to that disk after it leaves our office. I really think if Radius works like it should, it would solve our problems.
Thanks for any help. We are basically finally starting a 'real' security policy around here and this is our chance to get this thing right from the start!