VPN Client with NT Domain specific group Authentication !
I was able to integrate NT Domain authentication for the VPN clients, however I need to know if I can restrict this Authentication to a particular User group in the NT. All other users should not be allowed to VPN in.
Re: VPN Client with NT Domain specific group Authentication !
Yes,you can achieve this but has to involve Radius server for authorization, the simplest way is using Microsoft IAS as Radius server and AD/NT Domain for credential authentication.The key concept is :
1. On IAS server,the user credentials are checked and the dial-in properties of the user account are obtained by using a secure connection to a domain controller.
2. The connection attempt is authorized with both the dial-in properties of the user account and remote access policies.
3. If the connection attempt is both authenticated and authorized, the IAS server sends an Access-Accept message to the access server.
4. If the connection attempt is either not authenticated or not authorized, the IAS server sends an Access-Reject message to the access server.
For example, you have 3 groups under DC, IT, Engineering and Finance, you want only IT and Engineering can access VPN, so you need to enable these 2 group can access VPN through "dial-in properties", for Finance group user, they can't access VPN because of failure of authorization.
The reason choosing Radius is : Not all of the possible authentication and authorization methods available in PIX/ASA 7.x software are supported when you deal with VPN users. This table details what methods are available for VPN users:
Local RADIUS TACACS+ SDI NT Kerberos LDAP
Authentication Yes Yes Yes Yes Yes Yes No
Authorization Yes Yes No No No No Yes
Check followed two links and attached diagram, it might help.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...