We have a Cisco VPN3005 VPN concentrator providing remote IPSEC connections to clients using the Cisco VPN Client on Windows (mostly) and Mac OS X. Individual users are authenticated via Active Directory and an internal group configured on the VPN3005.
This has been working very well but allows all staff to use VPN. The powers that be want to limit VPN access to a small group of "trusted" staff.
We could easily configure individual users and passwords on the VPN3005, but that would give the network staff access to users' passwords as they create the accounts. The powers that be prefer that we continue using Active Directory, where users can change their passwords.
So, we need to use Active Directory for authentication but need to limit access to a subset of our Active Directory users. Can it be done? If so, how?