Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

3015 concentrator 1

Status
Not open for further replies.
UKHicks

UKHicks

IS-IT--Management
May 11, 2004
141
US
Hi, I hope i'm posting in the right forum, but here goes.

We have a Cisco 3015 VPN Concentrator and a Windows 2003 network in native mode. We don't want users to have two passwords when logging into the network over the vpn (i.e. thier vpn password and network password), so we setup the group (every user is in this group) to use internal authentication, and pointed it to one of the domain controllers. It worked fine, and now when connecting to the vpn users just enter their regular network password.

The problem is this, we don't want all users to be able to use the vpn, and right now anyone with network account can vpn in.

what can we do about this?

Any help would be much appreciated.
 
Sort by date Sort by votes
ukhicks,

I thought that when you backhauled to AD or a domain or whatever(my microsoft sucks, but i'm working on that) for authentication, the 'allow dialin' or 'allow ras dialup' or somesuch had to be checked? Could you try unchecking that?

Alternatively, I do know that if you used ciscosecure acs(for example), after a successful authentication proxy, the acs server would cache that userid/password so it didn't have to talk to a pdc/bdc/whatever afterwards for that user. Perhaps the concentrator is the same? If the acs server had an entry in it's local user database, it would use that to authenticate the user. basically what I'm trying to say is that could you add the userids that you DON'T want to have access to the network and set an unguessable password? (I realize this is backwards thinking, but I think the checkbox thing will work... hopefully)

hope that helps.
 
Upvote 0 Downvote
I understand the problem now. Authentication and Authorization are considered two different things in the Cisco world it would seem (at least with this product). So although my domain controller is authenticating users, its not controlling the authorizations. That seems pretty dumb... I have to use LDAP or a RADIUS server for that.
 
Upvote 0 Downvote
Oh and have a star for being nice enough to try to help.
 
Upvote 0 Downvote
yeah, cisco is pretty heavy into the 'AAA' (prouncounced triple-a) mindset, and just about every device we make conforms to this:

Authentication - 'who are you?'
Authorization - 'what can you access?'
Accounting - logging, billing, etc..

I guess the root of the problem is that you don't have this kind of granular control over authorization when you go straight to a domain controller. I have integrated a few ACS boxes into a windows domain and remember using the 'allow dialin' access to control VPN access.

Good luck, and thanks for the star! (I think I can cash them in later for a rather large stuffed animal)
 
Upvote 0 Downvote
I'm actually waiting for a quote back for ACS, hopefully it will allow me to control access via that 'allow dial-in' option in the users Active Directory accounts just as you describe.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Anzac1964
  • Locked
  • Question
Cisco VPN Concentrator 3005 1
Replies
2
Views
58
Anzac1964
Anzac1964
ciscomeo
  • Locked
  • Question
Cisco VPN Concentrator not performing as expected
Replies
4
Views
91
ciscomeo
ciscomeo
mjroam
  • Locked
  • Question
Site to Site VPN 1811 through 506E to 3000 Concentrator.
Replies
1
Views
54
burtsbees
burtsbees
salmans
  • Locked
  • Question
Cisco VPN Concentrator Single Sign On to OWA
Replies
2
Views
72
salmans
salmans
hankdaphoneguy
  • Locked
  • Question
Cisco 2821 to Cisco VPN concentrator error
Replies
0
Views
54
hankdaphoneguy
hankdaphoneguy

Part and Inventory Search

Sponsor

Back
Top