Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Issues with VPN and Active Directory "Log On To" user restrictions


I don't have too many details about the exact system that our IT department is running, but hopefully I have enough information such that all of you might be able to help me out.

On our campus, we have Active Directory and we also have a Cisco VPN (trying to find out the exact appliance model number).  To log into our VPN, we can use our Active Directory domain logins and that all works great.  Since I am somewhat unfamiliar with Cisco systems, I'm guessing that this is through some kind of connection between the two systems (LDAP?).

I just ran into a hiccup lately where one of my domain accounts wasn't allowed to log in.  Upon further research we found that the domain account has "Log On To" restrictions set in the user account.  For those of you that aren't familiar with this setting, when editing an  Active Directory user, there is an option under the user preferences  called "Log On To".  When you press that button, you are presented with a  dialog in which you can specifically identify to which computers that user  account is allowed in to.  For one reason or another, the VPN system is not allowing the user to log in to the VPN because it's not part of that list.

Here's the deal - I'm not looking for a work-around because we can just as easily create another account that doesn't have those "Log On To" restrictions (but that opens up security holes, which is why we don't want to do it).  Instead, I'd like to find out if there's a way for that account to authenticate through the VPN while keeping those "Log On To" restrictions in place.  For some reason the VPN is honoring those restrictions and I'd like to know why so that I can pass this information on to our IT staff so that we can apply the change (if it's even possible).

In the mean time, I'll see what other information I can get about our system.  Please let me know if you need any more specifics about our setup and I'll see what I can get.



Everyone's tags (4)
New Member

Re: Issues with VPN and Active Directory "Log On To" user restri

I just got a message from the VPN admin and he said the VPN is "returning an error code of 'Invalid Password'".  He seems to think that the decision is getting made at the AD level and not at the VPN.  Oddly, it's not the incorrect password because when you remove the computers from the "Log On To" list, it authenticates just fine.

Unless someone has any ideas, it looks like we're going to have to create a specific VPN account without any logon restrictions... bummer.

CreatePlease to create content