I'm a bit green, so I apologize of this is obvious:
I've come into a situation with a PIX configured for IPSec VPN. Authentication is configured for kerberos against their Win2k3 DCs. There is no authorization server configured. This setup allows any valid enabled AD user with the correct group PSK in their VPN client to authenticate and access any resource permitted under the group's ACLs.
What I'm looking to do is enable a method of denying VPN access for specific users in AD, regardless of the PCF they have installed in their Client, without restricting internal access. That is, I would like to be able to deny a specific user access to VPN without affecting internal access and without any invasive interaction (e.g. uninstalling their remote VPN client, deleting their PCF, changing the PSK, etc). With this current setup, I don't see how I can easily deny/grant VPN.
How would I go about [re]configuring for such capabilities? Is this what an authorization server is for?
Thanks!