Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN authenticating to active directory, how to restrict users

i currently have my ASA authenticating VPN users against the active directory in conjunction with the Cisco VPN Client. I got this working great but it seems like anyone with the client is able to authenticate. In active directory under the dial-in tab for a user there is a Remote Access Permission

there are options for Allow Access

Deny Access

Control through remote access

if i have deny selected they can still vpn in.

PLease tell me if there is any way to accomplish this or a workaround. thanks

Darren

7 REPLIES
Community Member

Re: VPN authenticating to active directory, how to restrict user

Normally, you configure the IAS profile for a specific AD-group. Please check if the user is a member of that group.

Community Member

Re: VPN authenticating to active directory, how to restrict user

the vpn group specified in IAS does not have the user account i can connect with. here is my config for this

aaa-server IAS protocol nt

aaa-server IAS host 192.168.1.5

nt-auth-domain-controller dcpdc

the authentication protocol is NT, i dont know if that helps

Community Member

Re: VPN authenticating to active directory, how to restrict user

He is talking about on your IAS server. Check your configuration of your Windows box, your answer is there.

Community Member

Re: VPN authenticating to active directory, how to restrict user

I usually use Radius myself.

The configuration would look like this:

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host "AD Domain controller"

This requires at least Windows 2000 servers that are running IAS.

Here is a link how to configure it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

Bronze

Re: VPN authenticating to active directory, how to restrict user

I can tell you i'm almost sure there is no document good enogh to explain you that at cisco.com, so i've done a document by myself, i'm sorry it's on portuguese ( my lenguege) you can use some translator to understand it.

There is no explanation for IAS configuration in this document, but you said you have it already

Please hate the post if helps.

Community Member

Re: VPN authenticating to active directory, how to restrict user

thanks for your post, but i got it just after posting this. The problem with using the aaa-server protocol nt

is that it uses ntlm authentication but no authorization. I ended up using radius for this since it is able to use both authentication and authorization. that was my issue

Community Member

Re: VPN authenticating to active directory, how to restrict user

Did you make a radius server on windows 2000 or 2003?

329
Views
0
Helpful
7
Replies
CreatePlease to create content