Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

assign vpn users to different groups/ip-pools & NT domain authentication

Unanswered Question
Jan 16th, 2004
User Badges:


I`d like use a 3015 concentrator for remote access vpn with Microsoft machine certificates, different groups on the 3015 and xauth against (local) internal userdatabase and afterwards I`d like to change xauth internal against a NT domain.

How could I map users to their designated groups on the concentrator if they authenticate against the domain and not anymore against internal ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shannong Fri, 01/16/2004 - 15:16
User Badges:
  • Silver, 250 points or more

The concentrator itself, Cisco ACS, and MS IAS can all provide authentication against an NT domain. If you want granular, sophisticated control over the users session, ACS is the best choice.

For group mathcing when using certificates, the OU in the certificate by must match a VPN concentrator group that the user will be authenticated with.

A more flexible option is to use the RADIUS IETF attribute #25 [Class]. The ACS server can be used to determine which group the user should belong in by checking to see if that users exists in a group you specify in the domain. You can then pass the value "ou=somegroup" to the concentrator when authenticating users. The VPN concentrator will apply the supplied group to the user regardless of which group they initially authenticate with. This is really easy with Cisco ACS, but I don't think MS IAS can pass this attribute correctly to the VPN concentrator, but I don't know this for a fact.

ACS can also tell the concentraotr what encryption methods to use for the user/group, what their filter/acl for access is, what the firewall rules should, and pretty much anything else you can define in a group on the concentrator. This means you don't even need multiple concentrator groups. You create one or two concentrator groups and let ACS hand out all relevant information about that user's/group's session based on their membership in an NT group.

haleemk Sun, 01/18/2004 - 23:57
User Badges:


I have 3030 and I want MS 2000 Active directory to authenticate remote users instead using internal authentication.When I add 2000 Server as external authentication and test it fails.Problem is now that for every user we have to create an account in 3030 instead of using same active directory account.

Pl help



This Discussion