Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
2
Replies

PIX: Using AD groups to control VPN client access and access lists?

tsolve_ulm
Level 1
Level 1

‎05-04-2006 07:18 AM - edited ‎03-10-2019 02:34 PM

Hi all,

I'm trying to configure both VPN client authentication and access to remote networks, but is this even possible?

The configuration: Pix515E with swver 7.1(2). VPN software clients. Windows server2003 with IAS. Site-to-site VPN to remote network.

The VPN clients are authenticated against the Active Directory using the IAS, (but using the WinNT link instead of RADIUS in the pix also works). I can write Authorisation rules to ask for the windows password before internal hosts are allowed to access the remote network.

The question is: How can I limit an AAA rule to a certain AD group? All AD users are allowed to open the client VPN, but not everyone is allowed to access the remote site.

Thanks for your information.

Arthur

Labels:
0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎05-06-2006 01:18 AM

Hi,

With your current setup, I am not sure whether you can control certain AD groups to be associated to certain AAA rules.

Since your intention was to limit internal user access to certain remote subnets, the best is to apply rules associated to user account/ID at the authentication/AAA server level. But I am not sure whether IAS is loaded with such features.

The AAA rules in PIX, has fixed authentication/authorization configuration. Normally, it was the AAA server’s responsibility to limit user access, privileges and so on.

Anyway, you can probably try to use ACL (provided your client is using static IP) to limit their access via host IP to certain subnets/remote sites.

But with Cisco ACS, you definitely can limit user access to certain network either using downloadable ACL or manually specify reachable subnets/addresses.

Rgds,

AK

0 Helpful

thult
Level 1
Level 1

‎05-10-2006 05:15 AM

Hi,

There is no problem doing this.

You simply add a entry in the advanced part of the IAS dial-in profile called Cisco AV-Pair.

Edit the Cisco AV Pair and add all ACL-rules you like with a syntax like the following example:

ip:inacl#=deny ip any 192.168.0.0 255.255.0.0

You create different profiles with different AV-Pair settings and selects which AD-groups that applies to which profiles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents