Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Restrict some users to access VPN

We setup Cisco VPN using Cisco ASA in our windows 2008 Domain network. That works fine. All our domain users can establish the VPN right now. We would like to make a change. We want to restrict some users such as volunteers and part time employees to access the VPN. I was thinking to remove the domain users from the VPN and create a VPN group which excludes above mentioned users. The problem is we don’t want to add each new user to the VPN group. Can we keep domain users as VPN users but restrict some users? If yes, how?

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Restrict some users to access VPN

Hi,

Look at this document:

https://supportforums.cisco.com/docs/DOC-13713

________________

Best regards,
MB

________________ Best regards, MB
VIP Purple

Restrict some users to access VPN

as outlined in the document linked by MB, there are different ways to achieve that. I prefer another way:

  • The default group-policy that is attached to the tunnel-group disallows all communication.
  • On the Windows-RADIUS-Server I have profiles for each different user-group I want to distinguish. In the profile I match on the normal domain-groups and a new Group "VPN-Users" where all Users are members that should get access.
  • In the RADIUS-profile I set the attribute 25 (class) with the right group-policy for that user. The group policies are configured locally on that ASA.

With that it is quite easy to give VPN-Access to only that users that should have access and make sure that they get the right access based on their domain-group.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

3 REPLIES
New Member

Restrict some users to access VPN

Hi,

Look at this document:

https://supportforums.cisco.com/docs/DOC-13713

________________

Best regards,
MB

________________ Best regards, MB
VIP Purple

Restrict some users to access VPN

as outlined in the document linked by MB, there are different ways to achieve that. I prefer another way:

  • The default group-policy that is attached to the tunnel-group disallows all communication.
  • On the Windows-RADIUS-Server I have profiles for each different user-group I want to distinguish. In the profile I match on the normal domain-groups and a new Group "VPN-Users" where all Users are members that should get access.
  • In the RADIUS-profile I set the attribute 25 (class) with the right group-policy for that user. The group policies are configured locally on that ASA.

With that it is quite easy to give VPN-Access to only that users that should have access and make sure that they get the right access based on their domain-group.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

Restrict some users to access VPN

Your should work, but I find the simple solution by disable dial-in in Active Directory users and computers:

How to setup to deny VPN access on a user - Step by step with screenshots - http://www.howtonetworking.com/VPN/vpnpermission1.htm

660
Views
0
Helpful
3
Replies
CreatePlease to create content