VPN 3005 and ACS and Microsoft AD.

maraz · ‎01-31-2003

Hello,

I have a scenario were we have two groups in the VPN 3005, group1 and group2. I also have two users, user1 and user2 who are authenticated in AD via the ACS. What I want to accomplish is to tie user1 with group1 and user2 with group2. For examle, if user1 gets hold of user2s account and password or user2s group2 id and password he will not be able to login. If something in this scenario is not clear please let me now.

Best Regards

Robert Maras

gfullage · ‎02-06-2003

In user1's profile on the ACS server, send back Radius attribute 25 (Class) in the form:

OU=group1;

It's case-sensitive, and don't forget the semi-colon. The 3000 will receive this and put user1 into group1, regardless of what group they have configured in their VPN client.

I don't think you can actually stop user1 from logging in, but this way they'll always be in the correct group. If user1 does happen to get user2's username and password though, there's nothing you can do for this, since how does the 3000 now that user1 is actually sitting at the keyboard and using user2's username.

kbeltz · ‎02-06-2003

The VPN 3000 Concentrator has the ability to lock users into a Concentrator group which will override the group the user has configured in the VPN 3000 client. In this way, access restrictions can be applied to various groups configured on the Concentrator with the assurance that the users are locked into that group with the RADIUS server.

For more details on how to config it, check the following URL

http://www.cisco.com/en/US/tech/tk583/tk59/technologies_configuration_example09186a00800946a2.shtml