Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX: Using AD groups to control VPN client access and access lists?

Hi all,

I'm trying to configure both VPN client authentication and access to remote networks, but is this even possible?

The configuration: Pix515E with swver 7.1(2). VPN software clients. Windows server2003 with IAS. Site-to-site VPN to remote network.

The VPN clients are authenticated against the Active Directory using the IAS, (but using the WinNT link instead of RADIUS in the pix also works). I can write Authorisation rules to ask for the windows password before internal hosts are allowed to access the remote network.

The question is: How can I limit an AAA rule to a certain AD group? All AD users are allowed to open the client VPN, but not everyone is allowed to access the remote site.

Thanks for your information.


  • AAA Identity and NAC

Re: PIX: Using AD groups to control VPN client access and access


With your current setup, I am not sure whether you can control certain AD groups to be associated to certain AAA rules.

Since your intention was to limit internal user access to certain remote subnets, the best is to apply rules associated to user account/ID at the authentication/AAA server level. But I am not sure whether IAS is loaded with such features.

The AAA rules in PIX, has fixed authentication/authorization configuration. Normally, it was the AAA server’s responsibility to limit user access, privileges and so on.

Anyway, you can probably try to use ACL (provided your client is using static IP) to limit their access via host IP to certain subnets/remote sites.

But with Cisco ACS, you definitely can limit user access to certain network either using downloadable ACL or manually specify reachable subnets/addresses.



New Member

Re: PIX: Using AD groups to control VPN client access and access


There is no problem doing this.

You simply add a entry in the advanced part of the IAS dial-in profile called Cisco AV-Pair.

Edit the Cisco AV Pair and add all ACL-rules you like with a syntax like the following example:

ip:inacl#=deny ip any

You create different profiles with different AV-Pair settings and selects which AD-groups that applies to which profiles.