Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
5
Replies

Misuse of the VPN client configuratuion file

jpersyn
Level 1
Level 1

‎07-01-2002 01:36 AM - edited ‎02-21-2020 11:50 AM

Question.

I setup 2 groups on my concentrator ( admin and user ) where the admin users have more permissions than the users.

But since the client can import any configuration file, a normal user can easily import an admin configuration file and use it.

This, how can this be solved ?

Labels:
0 Helpful
5 Replies 5

paqiu
Level 1
Level 1

‎07-01-2002 05:13 AM

You can check the "group lock" feature in the group settings.

It will lock different users into different group.

A normal user import admin group settings, but his username does not belong to admin group, so he can not pass the user authentication, he still can not get VPN connection.

0 Helpful

jpersyn
Level 1
Level 1
In response to paqiu

‎07-01-2002 10:16 PM

I don't really get it.

Our users authenticate via RADIUS, how is then possible to lock the users into a group ?

Example:

a users has admin rights and get the admin configuration file, for some reason this user moved and now only has user rights.

He still has the admin configuration file and so can easily still setup a VPN tunnel with these admin rights. How can the "group lock" differentiate the user from the admins or users ?

0 Helpful

paqiu
Level 1
Level 1
In response to jpersyn

‎07-02-2002 03:45 AM

Here is the CCO sample on how to lock a user into a specific group by using Radius authentication.

http://www.cisco.com/warp/customer/471/altigagroup.html

"Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server"

You can lock that users into "normal-users" group, even though he got "admin-user" group profile, he still can not connect.

Best Regards,

Paul Qiu

0 Helpful

gmiiller
Level 1
Level 1
In response to paqiu

‎07-03-2002 07:34 PM

Paul, I think thats partly an answer but not all of it. I'm looking particularly at where an organisation is looking to ultimately authenticate against an NT domain, either directly from a VPN3000 or via ACS.

Now lets say that there are varous groups in your organisation - finance accounting etc, and you want to have groups defined on your RAS to reflect this - with different permissions/ACL's for different groups.

We can create the different groups on the VPN3000, but given that all these groups are authenticating to a common NT user database, any valid username/ password, in conjunction with a relevant group file, will get any user into any group. There is no way of confirming from the domain that the relevant user account is a member of that group (or that the group even exists in the domain)

Is there any way this can be done on one central server (NT or otherwise)? I was particularly wondering about ODBC and having usernames/passwords/group memberships defined in a table, however, from what I can see of the ODBC option, the default group parameter is only returned from the ODBC source after successful authentication, it's not actually part of the request passed to the odbc source.

0 Helpful

paqiu
Level 1
Level 1
In response to gmiiller

‎07-04-2002 07:09 AM

The feature you are talking about is integrated the VPN 3000 group totally with NT group. I do not think you can do it in current IOS version.

In the future release version 4.0 , there is a feature called "Active Directory / LDAP (Native) authentication/authorization EDCS-202550".

That future feature might to do what you want.

Best Regards,

Paul Qiu

0 Helpful
Customers Also Viewed These Support Documents