The inability to limit VPN users by NT group security is still causing us pain. Right now, any valid NT user can use the VPN software (any version)
and access our entire network, labs, servers, dmz, etc. This appears to be a HUGE security hole.
We don't necessarily want everyone who has an account here (contractors,some techs, web developers outside the company, partners working on specific
IP addresses, etc.) to be able to access our network.
1. We would like to continue to use NT authentication for internal users to maintain one user password.
2. We would also like to create accounts using the Altiga userlist for external people who may need access to a specific IP address or subnet.
Example would be our web content developers outside the company. Only
access to our web server.
3. We want to create several NT groups in the domain that have VPN capability and we'll add those users to those groups on our NT domain.
4. Maintain a list of valid NT Groups (Example: DOMAIN\VPNfull,DOMAIN\Webserver, DOMAIN\VPNDmz, DOMAIN\VPNLabs, etc.)in the Altiga Box and the Altiga would check the user and make sure that that user is a member of a valid VPN group.
5. Allow those VPN groups to go to specific subnets or ip lists.
I recently setup VPN 3000. It works great. The resolution to your issue is to use a Radius Server.
Radius server can mapp to NT account and group. For exam Funk (www.funk.com) Radius server allow you to specify the NT Group that have access. Once you do that, you then enable External Authentication on VPN 3000. Only people in that particular NT group will have access to it. Funk is a commercial product.
If budget is a issue, then use Windows NT Radius Server that comes with Windows NT Option Pack or Windows 2000 for free. NT Radius server which is known as Internet Authentication Service allow access to only those users who have Dial in permission. Under VPN 3000, you will configure this as a External radius server as well not NT Domain authentication.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...