Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
4
Replies

How to restrict VPN, allow Wireless. AD environment

nascimentor
Level 1
Level 1

‎06-26-2006 12:13 PM - edited ‎02-21-2020 02:30 PM

15,000 student accounts on active directory, single domain, Win2003.

3,000 staff accounts.

Staff should access VPN and Wireless.

Students should access Wireless only.

Cisco VPN 3000 Concentrator.

Cisco Wireless Access Points, LEAP, (going to migrate to Aruba in the future).

ACS 3.x

Problem:

On Active Directory, option I need to keep option "Allow dial-in" on Student accounts set to "Allow". That way students can access wireless. The problem is that would let users launch a Cisco VPN client and connect to our corporate network. I want to restrict that for students.

How can I solve this situation ?

Labels:
0 Helpful
4 Replies 4

dominic.caron
Level 5
Level 5

‎06-26-2006 12:20 PM

Add a new feild in your AD for each service. Onefor wireless and one for VPN. Map those two field to groups in your ACS server. Restric access with Calling device ID(NAR) in each ACS group.

Adding a feild for each service give you the flexibility to handle wierd case...like a student employe.

0 Helpful

nascimentor
Level 1
Level 1
In response to dominic.caron

‎06-27-2006 07:19 AM

Thanks.

Can you elaborate a little more on the "Map those two field to groups in your ACS server".

Are you saying that I should create an AD attribute named "wireless" and "vpn" or perhaps you meant I should create a security group in Active Directory "Wireless" and "VPN" and then make ACS recognize those groups ?

I am new to ACS so if you can point out a documentation on how to make ACS work with Active Directory groups, that would help. I will research more on this ACS<->AD groups.

Thanks again !

Also, I

0 Helpful

dominic.caron
Level 5
Level 5
In response to nascimentor

‎06-27-2006 10:29 AM

I'm do not manage the AD for my university but my AD manager knew what to do on the AD...

1.You must have two at least two network device group associated with wireless and vpn.

2.Create a minimum of two ACS group, one for Student and one for staff. (or one wireless,vpn,wireless+vpn,none)

Configure the access device allowed in this group using the

"Per Group Defined Network Access Restrictions " menu.

3. Map the ACS group to the AD defined group in the external database group mapping utility. Begin with the more specific group, end with the less specific. The mapping work with "and" statements.

If Member of AD group wireless and vpn then map to ACS group wireless+vpn

Make a few test, there not a lot of doc on this but it works well

0 Helpful

zhenningx
Level 4
Level 4

‎06-26-2006 12:26 PM

Can you restrict this using ACL at vlan interface?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents