Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Misuse of the VPN client configuratuion file

Question.

I setup 2 groups on my concentrator ( admin and user ) where the admin users have more permissions than the users.

But since the client can import any configuration file, a normal user can easily import an admin configuration file and use it.

This, how can this be solved ?

5 REPLIES
New Member

Re: Misuse of the VPN client configuratuion file

You can check the "group lock" feature in the group settings.

It will lock different users into different group.

A normal user import admin group settings, but his username does not belong to admin group, so he can not pass the user authentication, he still can not get VPN connection.

New Member

Re: Misuse of the VPN client configuratuion file

I don't really get it.

Our users authenticate via RADIUS, how is then possible to lock the users into a group ?

Example:

a users has admin rights and get the admin configuration file, for some reason this user moved and now only has user rights.

He still has the admin configuration file and so can easily still setup a VPN tunnel with these admin rights. How can the "group lock" differentiate the user from the admins or users ?

New Member

Re: Misuse of the VPN client configuratuion file

Here is the CCO sample on how to lock a user into a specific group by using Radius authentication.

http://www.cisco.com/warp/customer/471/altigagroup.html

"Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server"

You can lock that users into "normal-users" group, even though he got "admin-user" group profile, he still can not connect.

Best Regards,

Paul Qiu

New Member

Re: Misuse of the VPN client configuratuion file

Paul, I think thats partly an answer but not all of it. I'm looking particularly at where an organisation is looking to ultimately authenticate against an NT domain, either directly from a VPN3000 or via ACS.

Now lets say that there are varous groups in your organisation - finance accounting etc, and you want to have groups defined on your RAS to reflect this - with different permissions/ACL's for different groups.

We can create the different groups on the VPN3000, but given that all these groups are authenticating to a common NT user database, any valid username/ password, in conjunction with a relevant group file, will get any user into any group. There is no way of confirming from the domain that the relevant user account is a member of that group (or that the group even exists in the domain)

Is there any way this can be done on one central server (NT or otherwise)? I was particularly wondering about ODBC and having usernames/passwords/group memberships defined in a table, however, from what I can see of the ODBC option, the default group parameter is only returned from the ODBC source after successful authentication, it's not actually part of the request passed to the odbc source.

New Member

Re: Misuse of the VPN client configuratuion file

The feature you are talking about is integrated the VPN 3000 group totally with NT group. I do not think you can do it in current IOS version.

In the future release version 4.0 , there is a feature called "Active Directory / LDAP (Native) authentication/authorization EDCS-202550".

That future feature might to do what you want.

Best Regards,

Paul Qiu

176
Views
0
Helpful
5
Replies