Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Altiga security problem

The inability to limit VPN users by NT group security is still causing us pain. Right now, any valid NT user can use the VPN software (any version)

and access our entire network, labs, servers, dmz, etc. This appears to be a HUGE security hole.

We don't necessarily want everyone who has an account here (contractors,some techs, web developers outside the company, partners working on specific

IP addresses, etc.) to be able to access our network.

1. We would like to continue to use NT authentication for internal users to maintain one user password.

2. We would also like to create accounts using the Altiga userlist for external people who may need access to a specific IP address or subnet.

Example would be our web content developers outside the company. Only

access to our web server.

3. We want to create several NT groups in the domain that have VPN capability and we'll add those users to those groups on our NT domain.

4. Maintain a list of valid NT Groups (Example: DOMAIN\VPNfull,DOMAIN\Webserver, DOMAIN\VPNDmz, DOMAIN\VPNLabs, etc.)in the Altiga Box and the Altiga would check the user and make sure that that user is a member of a valid VPN group.

5. Allow those VPN groups to go to specific subnets or ip lists.

Is this possible?

2 REPLIES
Community Member

Re: Altiga security problem

In order to do this you need to use a AAA server like Cisco Secure for NT and setup authorization for the VPN users.

Hope this helps

Community Member

Re: Altiga security problem

Hello,

here is my 2cents

I recently setup VPN 3000. It works great. The resolution to your issue is to use a Radius Server.

Radius server can mapp to NT account and group. For exam Funk (www.funk.com) Radius server allow you to specify the NT Group that have access. Once you do that, you then enable External Authentication on VPN 3000. Only people in that particular NT group will have access to it. Funk is a commercial product.

If budget is a issue, then use Windows NT Radius Server that comes with Windows NT Option Pack or Windows 2000 for free. NT Radius server which is known as Internet Authentication Service allow access to only those users who have Dial in permission. Under VPN 3000, you will configure this as a External radius server as well not NT Domain authentication.

Faisal Khan

faisal.khan@ttc.ca

ccnp

187
Views
0
Helpful
2
Replies
CreatePlease to create content