Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting NT-authenticated VPN client users on 3005 concentrator

Hello all,

We have a Cisco VPN 3005 concentrator at our HQ. I have a group configured which uses NT domain authentication and it works fine. The problem is, as long as the user has a domain account, anybody can connect.

Is there a way to restrict access only to certain users from the NT domain ?

Thanks,

Stefan

5 REPLIES

Re: Restricting NT-authenticated VPN client users on 3005 concen

If you used ACS between the VPN3000 and the DC then use, you could map AD groups on the ACS.

But if you go VPN3000 straight to DC, then I don't belive there's anything you can do the VPN3000. Unless there is something you can do on the DC, such as restricting dial-in access on the user account so that Windows fails the login.

New Member

Re: Restricting NT-authenticated VPN client users on 3005 concen

Unfortunately we dont use ACS, the authentication is done directly via the active directory. But you gave me an idea.

We do have a internal LDAP server. I could create some users in this LDAP server then configure it as authorization server for my group on the concentrator. Then, hopefully, only users that are in my LDAP will be authorized and, after that, authenticated against AD. Will that work ?

Thanks,

Stefan

New Member

Re: Restricting NT-authenticated VPN client users on 3005 concen

Just wanted to follow up on my message. We used an existing LDAP server and we solved the problem. All we had to do is create the needed objectClass in the LDAP server (as described at http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html ) and assign that to the users who need VPN access for. Then we configured the LDAP as an authorization server for the group in the VPN Concentrator and everything worked.

Re: Restricting NT-authenticated VPN client users on 3005 concen

I'm not quite sure what you mean (authorisation comes after authentication) but I'm glad it works for you.

New Member

Re: Restricting NT-authenticated VPN client users on 3005 concen

Yes, you're right. The user connects, authentication kicks in (against the NT domain, which will succeed for any valid username) and then we get to authorization. But this time only those users defined in LDAP (and with the VPN3005 objectclass attached) will be authorized.

153
Views
3
Helpful
5
Replies
CreatePlease to create content