Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
3
Replies

One user per One Group

soylo
Level 1
Level 1

‎07-10-2003 03:37 PM - edited ‎03-09-2019 03:59 AM

I have a Concentrator VPN3015 (3.6.7), and I'm using IPSec Client 3.6. I have configured 3 groups with internal authentication, each group permit remote access an authentication RADIUS. This configuration works, but, one self user can belong to this 3 groups. I want to restrict one user to one group. for example, sales group only must permit sale's users, you don´t forget that all users are defined into the RADIUS Server.

How I do it?

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎07-10-2003 07:37 PM

you define an attribute on the Radius server for each user that specifies what concentrator group they belong to. That way no matter what concentrator group they configure in their VPN client, they'll be locked into, and get all the attributes of, whatever group is defined for them in the Radius server attribute.

See http://www.cisco.com/warp/public/471/altigagroup.html for details.

0 Helpful

soylo
Level 1
Level 1
In response to gfullage

‎07-11-2003 04:16 PM

I tested, but it didn't worked. I'm using ACE/SERVER Radius v5.0.01 from RSA. The authentication is OK. but, so far, I can't lock user into the group. Into the Radius, user's profile, I have defined Class OU=g_piloto; g_piloto match with the name concentrator group.

Please Help me.

Sergio

0 Helpful

gmiiller
Level 1
Level 1
In response to soylo

‎07-13-2003 02:17 PM

Your issue here is that you have a single authentication means (and a common authentication database) for all 3 groups. Because all of your users are authenticated against the one source, if the users possess all of the different group files (profiles) they can authenticate in any of the groups defined on your concentrator.

You can get around this using radius/IAS. They way that you do this is:

define a different radius server by ip address for authentication on each of your groups.

On your radius server, define three different NAS's by IP address to represent your three groups on your concentrator. Set your IAS policies so that users from each NAS will ONLY be accepted if they are also a members of a WINDOWS group called (whatever you want the group called)

Create the 3 groups in your windows domain, and assign your users to them

NOW, the hard part is that between your concentrator and your windows IAS box, you have to perform a heap of network address translation so that the request from the VPN concentrator to the 3 "separate" radius ip addresses have destination NATed to the address of your windows IAS, whilst having source NATed to the 3 different group addresses. My network is a hybrid of routers/FW1/Pix/Gauntlet and Cyberguard, so I have a few ways of doing this, you'll have to make do with what you have. Also, watch out for Radius packet-level authentication, as this sort of thing can make it complain.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents