Re: VPN3005 IPSEC Access Control

---

• From: notaccie <notaccie@xxxxxxxxx>
• Date: Mon, 07 Jan 2008 19:03:24 -0800

---

chip old is correct:

do you have an IAS RADIUS server in your forest? It isn't
particularly difficult to bring up, especially if you want to evaluate
this approach.

-- create an AD group called VPN Users
-- on the IAS create a remote access policy with a connection property
something like <Windows-Group matches "yourdomainname\VPN Users">
(refine it as you like. this works pretty well.)

-- on the concentrator, add the IAS defined as a RADIUS server,
configuring a matching PSK on the IAS and concentrator

--clone your current group for experiment, change the Authentication
in the IPSEC tab to RADIUS with Expiry.

try it out. there are logs on the IAS server that you can work from.
This should be enough, also, to get you to the Cisco documentation.

It works well. It is a good blend of AD administration controls and
solid VPN.



On Sun, 6 Jan 2008 02:45:45 -0800 (PST), mark.cosens@xxxxxxxxx wrote:

On 6 Jan, 05:12, Chip Old <feo...@xxxxxxxx> wrote:

We have a Cisco VPN3005 VPN concentrator providing remote IPSEC connections
to clients using the Cisco VPN Client on Windows (mostly) and Mac OS X.
Individual users are authenticated via Active Directory and an internal
group configured on the VPN3005.

This has been working very well but allows all staff to use VPN. The powers
that be want to limit VPN access to a small group of "trusted" staff.

We could easily configure individual users and passwords on the VPN3005, but
that would give the network staff access to users' passwords as they create
the accounts. The powers that be prefer that we continue using Active
Directory, where users can change their passwords.

So, we need to use Active Directory for authentication but need to limit
access to a subset of our Active Directory users. Can it be done? If so,
how?

--
Chip Old

Does the 3005 authenticate via radius? I am sure it would, I used to
use radius authentication on an ios router for vpn access. Just create
a windows group called vpn users for example, add your users &
configure IAS on a windows server. I also have a recollection that the
3005 handles password expiry also,whereas an ios router did not.

.

---

• References:
  • VPN3005 IPSEC Access Control
    • From: Chip Old
  • Re: VPN3005 IPSEC Access Control
    • From: mark . cosens

• Prev by Date: Backup Internet Link
• Next by Date: Re: Arp Broadcast
• Previous by thread: Re: VPN3005 IPSEC Access Control
• Next by thread: Re: VPN3005 IPSEC Access Control
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: VPN / RADIUS ... > I was told that I ONLY need RADIUS if VPN component is NOT on MACHINE ... then can I have the RADIUS Server component be ... You can install IAS ... (microsoft.public.win2000.active_directory) Re: VPN / RADIUS ... > I was told that I ONLY need RADIUS if VPN component is NOT on MACHINE ... then can I have the RADIUS Server component be ... You can install IAS ... (microsoft.public.win2000.ras_routing) Re: VPN / RADIUS ... > I was told that I ONLY need RADIUS if VPN component is NOT on MACHINE ... then can I have the RADIUS Server component be ... You can install IAS ... (microsoft.public.windows.server.sbs) Re: VPN / RADIUS ... > I was told that I ONLY need RADIUS if VPN component is NOT on MACHINE ... then can I have the RADIUS Server component be ... You can install IAS ... (microsoft.public.isa.vpn) Re: help in using IAS as RADIUS Server ... Almost all Radius compliant clients are supported in IAS, ... > standard edition as RADIUS Server ... (microsoft.public.internet.radius)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)