Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Client with NT Domain specific group Authentication !

I was able to integrate NT Domain authentication for the VPN clients, however I need to know if I can restrict this Authentication to a particular User group in the NT. All other users should not be allowed to VPN in.

3 REPLIES
Community Member

Re: VPN Client with NT Domain specific group Authentication !

I have the same question. Did you ever get an answer to this? Is there a way to limit which users in AD can access VPN?

Community Member

Re: VPN Client with NT Domain specific group Authentication !

Yes,you can achieve this but has to involve Radius server for authorization, the simplest way is using Microsoft IAS as Radius server and AD/NT Domain for credential authentication.The key concept is :

1. On IAS server,the user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.

2. The connection attempt is authorized with both the dial-in properties of the user account and remote access policies.

3. If the connection attempt is both authenticated and authorized, the IAS server sends an Access-Accept message to the access server.

4. If the connection attempt is either not authenticated or not authorized, the IAS server sends an Access-Reject message to the access server.

For example, you have 3 groups under DC, IT, Engineering and Finance, you want only IT and Engineering can access VPN, so you need to enable these 2 group can access VPN through "dial-in properties", for Finance group user, they can't access VPN because of failure of authorization.

The reason choosing Radius is : Not all of the possible authentication and authorization methods available in PIX/ASA 7.x software are supported when you deal with VPN users. This table details what methods are available for VPN users:

Local RADIUS TACACS+ SDI NT Kerberos LDAP

Authentication Yes Yes Yes Yes Yes Yes No

Authorization Yes Yes No No No No Yes

Check followed two links and attached diagram, it might help.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

http://technet2.microsoft.com/windowsserver/en/library/c25dccdf-b91e-4fb1-8846-cd5bcc9bcf0e1033.mspx?mfr=true

Community Member

Re: VPN Client with NT Domain specific group Authentication !

Thanks, I'll try this and will update.

242
Views
0
Helpful
3
Replies
CreatePlease to create content