Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
4
Replies

How do I block a user from VPN'ing in while AD is used for authentiction

Go to solution
nygenxny123
Level 1
Level 1

‎08-03-2010 07:48 AM

We currently use Active Directory to authenticate through IPsec VPN.

Employee was let go..so his AD account was disabled

However, he has another AD username and password that can not be disabled since it

is being used under other services

Our entire company is under one Group Policy

My question is.how would I block him from accessing the network.?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rahgovin
Level 4
Level 4
In response to nygenxny123

‎08-03-2010 08:41 AM

No you wont have to configure any new group-policy. All you have to do is create a create a dap policy saying that if a user comes with this attribute from radius or ldap (username in ur case) apply a certain policy ( terminate ) to it. For rest all users, since they don't match that criterion, they will hit the default dap policy which will alow them normally without applying any policy for them.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rahgovin
Level 4
Level 4

‎08-03-2010 07:56 AM

you could use DAP to block that user from authenticating succesffuly. Create a policy to match the user attribute( say sAMAccountName for ldap) and terminate as policy action. For rest of the users, you could use a continue action in the default policy which should allow normal authentication and authorization.

For details on DAP.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

0 Helpful

Go to solution
nygenxny123
Level 1
Level 1
In response to rahgovin

‎08-03-2010 08:25 AM

from the looks of it..I may have to configure an entire new group policy?

however this could impact currrent users

0 Helpful

Go to solution
rahgovin
Level 4
Level 4
In response to nygenxny123

‎08-03-2010 08:41 AM

No you wont have to configure any new group-policy. All you have to do is create a create a dap policy saying that if a user comes with this attribute from radius or ldap (username in ur case) apply a certain policy ( terminate ) to it. For rest all users, since they don't match that criterion, they will hit the default dap policy which will alow them normally without applying any policy for them.

0 Helpful

Go to solution
nygenxny123
Level 1
Level 1
In response to rahgovin

‎08-03-2010 08:45 AM

great!...thx!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents