VPN user control

hschnare · ‎04-12-2006

Users connecting to our VPN 3000 concentrator are authenticated via SecurID. We would like to allow VPN access only for specific users and not for all the users which are having a SecurID card. Can this be achieved without doing modifications on the SecurID server?

jmatser · ‎04-12-2006

Someone can correct me if I'm wrong but I do believe that user level access control has to be managed by the SecurID (radius?) server.

When you use a securID token the cisco passes off the authentication to that box and its up to the SecurID server to say if that user should or shouldn't be allowed remote access, and if so at what level.

This is my experience from reading the docs and working on the routers. Haven't done much work actually configuring SecurID servers though.

You might want to go and look up controlling user access levels (ie remote access) on your SecurID server docs.

hschnare · ‎04-12-2006

Unfortunately we don't have the rights to do modifications to the SecurID server and I was hoping to perform a further user control on the VPN concentrator. I already played around with the "Group Lock" feature, but so far without success.

jwebber · ‎04-26-2006

I think this can be done. On you rsa ace server do you have an agent host configured for your concentrator? If so, I believe you can just assign the agent host for your concentrator to those individuals you want to have access. If an individual is not assigned that agent host, then they should not be able to authenticate.

I should have read your post again..you cannot modify your ace server. Sorry.