PIX: Using AD groups to control VPN client access and access lists?
I'm trying to configure both VPN client authentication and access to remote networks, but is this even possible?
The configuration: Pix515E with swver 7.1(2). VPN software clients. Windows server2003 with IAS. Site-to-site VPN to remote network.
The VPN clients are authenticated against the Active Directory using the IAS, (but using the WinNT link instead of RADIUS in the pix also works). I can write Authorisation rules to ask for the windows password before internal hosts are allowed to access the remote network.
The question is: How can I limit an AAA rule to a certain AD group? All AD users are allowed to open the client VPN, but not everyone is allowed to access the remote site.
Re: PIX: Using AD groups to control VPN client access and access
With your current setup, I am not sure whether you can control certain AD groups to be associated to certain AAA rules.
Since your intention was to limit internal user access to certain remote subnets, the best is to apply rules associated to user account/ID at the authentication/AAA server level. But I am not sure whether IAS is loaded with such features.
The AAA rules in PIX, has fixed authentication/authorization configuration. Normally, it was the AAA servers responsibility to limit user access, privileges and so on.
Anyway, you can probably try to use ACL (provided your client is using static IP) to limit their access via host IP to certain subnets/remote sites.
But with Cisco ACS, you definitely can limit user access to certain network either using downloadable ACL or manually specify reachable subnets/addresses.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...