There is a requirement to restrict IPSec access and confine it to a few users only.
The setup we have is VPN Concentrator 3015 4.7.2P--> ACS Solution engine 4.2 -->LDAP -->Windows AD.
The LDAP server has around 30-35 groups and we have a few of them only to allow access.
I am not sure of what is the best way to allow access to only a few users. Currently, anyone having the group name and password can login. But we want to restrict IPSec access to only a few groups.
In response to this requirement, i had configured Radius authorization on vpn concentrator and i created a test ACS local group where i had configured a RADIUS attribute with a split tunnel access-list thats defined on the concentrator. This access-list is a dummy access-list that permits a small /29 subnet through the vpn. So, basically my idea was that i will restrict vpn control to specific users by having acs local groups mapped to ldap groups and then configure these local groups to push a Radius attribute 026\3076\027 "ipsec-split-tunnel-list" to the vpn concentrator.
This worked for me but the client wants a more finer solution in this regard. He wants something to the effect of denying a user at the authentication stage itself. Is it possible?
Would really appreciate any suggestions / pointers form this.
The problem seems to be that anyone existing in AD can get in granted that they have the VPN3000 groupname/password combo. If your client wants to stop users from getting in at the authentication stage, you can do this by eliminating the use of groupname/password for phase 1 authentication. If you use digital certs for phase 1 authentication, you can effectively control who can get in and who cannot. If you use something like MS CA to generate and issue the certificates, you can mark them as non-exportable such that whoever you issue the cert to cannot "copy" the cert over to another machine and have it function there. This would guarantee two things:
1) That a specific user is the only one allowed to get in to the VPN
2) That this user can only get in from the particular machine where they've installed the cert
However, if you are looking to accomplish this with the existing setup (ie. groupname/password) and not digital certs, and if you are open to configuring a local ACS user group, you could employ the group-lock feature bewteen the VPN3000 and ACS. With this feature, you can assign ACS users to a corresponding group on the VPN3000 device. You could then setup one group to allow all VPN access, while you setup another one to block all access. You could then control which users get mapped to which groups within ACS:
You may also be able to use NAC or NAC Framework to do identity based restriction. I took a quick peek at the deployent guide (pgs. 22 - 24) for NAC Framework and see that there looks to be an option for allowing network access based on identity in addition to posture assessment.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...