Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN 3000 authentication against Windows AD controller???

I have a VPN 3000 and currently it authenticates against my domain controller. Is there a way to have it only allow access if they have an account in the Domain AND be a member of a security group in the domain??? I would like to stop users from getting the client and being able to remote in if they have a general domain user account. There are too many users to manage locally on the concentrator.

Thanks in advance,

Gene

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN 3000 authentication against Windows AD controller???

You should look under authentication in your concentrator. (I haven't worked on one in a while, so I'm flying blind on this one.) Somewhere under there it will say RADIUS server, and it will have an ip address (if you're using it). If that server has "Internet Authentication Service" (IAS) under Administrative Tools, then that's your RADIUS server. You could have some other piece of software though because there a a lot of RADIUS servers available.

If it's IAS, then under the settings when you modify the properties, you'll see policies. Under those policies, groups are added and permitted or denied based on membership.

Here's a step-by-step link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

HTH,

John

HTH, John *** Please rate all useful posts ***
6 REPLIES

Re: VPN 3000 authentication against Windows AD controller???

It's been a while since I've messed with IAS, but you should be able to deny members unless they are a member of a group. This falls back on your RADIUS server though and not the concentrator.

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VPN 3000 authentication against Windows AD controller???

Good Point. I am not sure if someone has done this setup. I am new to this VPN, so I am not sure if it is authenticating through a radius, or just doing a straight LDAP authentication just to verify they have a user account on the domain. (not very secure as this will let in anyone that has an account)

Any other suggestions will be welcome..

Thanks

Gene

Re: VPN 3000 authentication against Windows AD controller???

You should look under authentication in your concentrator. (I haven't worked on one in a while, so I'm flying blind on this one.) Somewhere under there it will say RADIUS server, and it will have an ip address (if you're using it). If that server has "Internet Authentication Service" (IAS) under Administrative Tools, then that's your RADIUS server. You could have some other piece of software though because there a a lot of RADIUS servers available.

If it's IAS, then under the settings when you modify the properties, you'll see policies. Under those policies, groups are added and permitted or denied based on membership.

Here's a step-by-step link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VPN 3000 authentication against Windows AD controller???

Just logged back in to confirm. Only using NT domain Authentication servers, which I was afraid of.

Do you think you can remember if in this list, does it only use the top most server, or will it attempt to authenticate from top to bottom, ie try each server until it gets a hit, and if not, and the last is Internal, try the internal database?

And if you can remember that, how about this,

if it finds the username on the first listed server, but the password doesnt match, will it go through the list until it hits the internal database where the password does match? (if the password for the account is different on the domain than the local VPN database)

Thanks for the input!!!!

Gene

Re: VPN 3000 authentication against Windows AD controller???

Gene,

I think it works like aaa authentication in that it won't check then next one in the list if the first one responds.

If you're using domain authentication, why don't you convert to RADIUS? It still uses the same accounts, so I wouldn't think there would be any problems with converting to IAS.

Oh, and for your last question, no, if the first username passes, but the password fails, then it's considered a failed login and it will kick back a user login screen again. It won't continue through the list.

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: VPN 3000 authentication against Windows AD controller???

John,

I agree and by all means will do this. As soon as we complete an ISP cutover on Friday. Have to get IAS set up, then cut-over. Should not be too much of an issue. I did this with an Aruba appliance and Steel-Belted Radius, so it should be similar (I hope) Thanks for all your information...

Gene

133
Views
0
Helpful
6
Replies
CreatePlease to create content