How to restrict VPN, allow Wireless. AD environment

Unanswered Question
Jun 26th, 2006
User Badges:

15,000 student accounts on active directory, single domain, Win2003.

3,000 staff accounts.

Staff should access VPN and Wireless.

Students should access Wireless only.

Cisco VPN 3000 Concentrator.

Cisco Wireless Access Points, LEAP, (going to migrate to Aruba in the future).

ACS 3.x


On Active Directory, option I need to keep option "Allow dial-in" on Student accounts set to "Allow". That way students can access wireless. The problem is that would let users launch a Cisco VPN client and connect to our corporate network. I want to restrict that for students.

How can I solve this situation ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dominic.caron Mon, 06/26/2006 - 12:20
User Badges:
  • Silver, 250 points or more

Add a new feild in your AD for each service. Onefor wireless and one for VPN. Map those two field to groups in your ACS server. Restric access with Calling device ID(NAR) in each ACS group.

Adding a feild for each service give you the flexibility to handle wierd a student employe.

nascimentor Tue, 06/27/2006 - 07:19
User Badges:


Can you elaborate a little more on the "Map those two field to groups in your ACS server".

Are you saying that I should create an AD attribute named "wireless" and "vpn" or perhaps you meant I should create a security group in Active Directory "Wireless" and "VPN" and then make ACS recognize those groups ?

I am new to ACS so if you can point out a documentation on how to make ACS work with Active Directory groups, that would help. I will research more on this ACS<->AD groups.

Thanks again !

Also, I

dominic.caron Tue, 06/27/2006 - 10:29
User Badges:
  • Silver, 250 points or more

I'm do not manage the AD for my university but my AD manager knew what to do on the AD...

1.You must have two at least two network device group associated with wireless and vpn.

2.Create a minimum of two ACS group, one for Student and one for staff. (or one wireless,vpn,wireless+vpn,none)

Configure the access device allowed in this group using the

"Per Group Defined Network Access Restrictions " menu.

3. Map the ACS group to the AD defined group in the external database group mapping utility. Begin with the more specific group, end with the less specific. The mapping work with "and" statements.

If Member of AD group wireless and vpn then map to ACS group wireless+vpn

Make a few test, there not a lot of doc on this but it works well

zhenningx Mon, 06/26/2006 - 12:26
User Badges:
  • Bronze, 100 points or more

Can you restrict this using ACL at vlan interface?


This Discussion