Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
3
Helpful
5
Replies

Restricting NT-authenticated VPN client users on 3005 concentrator

rts-net-support
Level 1
Level 1

‎08-18-2006 03:50 AM

Hello all,

We have a Cisco VPN 3005 concentrator at our HQ. I have a group configured which uses NT domain authentication and it works fine. The problem is, as long as the user has a domain account, anybody can connect.

Is there a way to restrict access only to certain users from the NT domain ?

Thanks,

Stefan

Labels:
0 Helpful
5 Replies 5

grant.maynard
Level 4
Level 4

‎08-18-2006 04:17 AM

If you used ACS between the VPN3000 and the DC then use, you could map AD groups on the ACS.

But if you go VPN3000 straight to DC, then I don't belive there's anything you can do the VPN3000. Unless there is something you can do on the DC, such as restricting dial-in access on the user account so that Windows fails the login.

rts-net-support
Level 1
Level 1
In response to grant.maynard

‎08-18-2006 04:38 AM

Unfortunately we dont use ACS, the authentication is done directly via the active directory. But you gave me an idea.

We do have a internal LDAP server. I could create some users in this LDAP server then configure it as authorization server for my group on the concentrator. Then, hopefully, only users that are in my LDAP will be authorized and, after that, authenticated against AD. Will that work ?

Thanks,

Stefan

0 Helpful

rts-net-support
Level 1
Level 1
In response to rts-net-support

‎08-20-2006 11:18 PM

Just wanted to follow up on my message. We used an existing LDAP server and we solved the problem. All we had to do is create the needed objectClass in the LDAP server (as described at http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html ) and assign that to the users who need VPN access for. Then we configured the LDAP as an authorization server for the group in the VPN Concentrator and everything worked.

0 Helpful

grant.maynard
Level 4
Level 4
In response to rts-net-support

‎08-22-2006 01:56 PM

I'm not quite sure what you mean (authorisation comes after authentication) but I'm glad it works for you.

0 Helpful

rts-net-support
Level 1
Level 1
In response to grant.maynard

‎08-28-2006 11:48 PM

Yes, you're right. The user connects, authentication kicks in (against the NT domain, which will succeed for any valid username) and then we get to authorization. But this time only those users defined in LDAP (and with the VPN3005 objectclass attached) will be authorized.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents