Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Tunnel Authentication/Verification

I am pretty new to the VPN world and have a question about access to our network from remote users.

We have a Cisco VPN 3000 series. We have approximately 4000 employees. We want any employee to be able to be at home and have access to our network. I don't want to simply set up a 'employee' group and allow anyone to get access (although this would obviously be the easiest way to do it) through the VPN. If someone is fired or quits, we want to be able to stop that person from accessing our network. I also don't want to have to manage 4000 user accounts on the firewall, that would be a nightmare. Of course this solution is the one that my manager thinks is the best.

I have recently installed a Microsoft IAS server and have all my Cisco routers authenticating to it. Can I also use this server to allow different access levels to the users that want to access my network from home? If so, is it simply based on the users NT credentials (ie, Admin or user) or would I have to set up new accounts for them?

Also, another one of the options being floated around out there is to set up a certificate server and simply hand over a pre-formatted disk with certificate information to the people that want to use VPN. But again, we will not be able to control what happens to that disk after it leaves our office. I really think if Radius works like it should, it would solve our problems.

Thanks for any help. We are basically finally starting a 'real' security policy around here and this is our chance to get this thing right from the start!

Cisco Employee

Re: VPN Tunnel Authentication/Verification

Good to hear. May as well get it right from the beginning.

The 3000 can certainly authenticate to the Radius server, just add the server under the Config - System - Servers - Authentiocation section, then under the group under the IPSec tab, set the Authentication to Radius (make sure you leave the group defined as Internal on the first screen).

As for defining different access-levels, this is a little trickier. Certainly changing Windows groups won't have any effect on what they can get to over the VPN, as the VPN merely authenticates that the user is valid, not what groups they're in. Probably the easiest way is to set up specific groups on the 3000, and define filters on those groups that will define what they can go to on your internal network. You then need to assign your Windows NT users to those 3000 groups, you do that by returning Radius attribute 25 (the Class attribute) to the concentrator.

Read the following on how to do this:

CreatePlease to create content