1. Home
  2. Cisco Systems
  3. VPN3005 IPSEC Access Control

VPN3005 IPSEC Access Control

We have a Cisco VPN3005 VPN concentrator providing remote IPSEC connections to clients using the Cisco VPN Client on Windows (mostly) and Mac OS X. Individual users are authenticated via Active Directory and an internal group configured on the VPN3005.

This has been working very well but allows all staff to use VPN. The powers that be want to limit VPN access to a small group of "trusted" staff.

We could easily configure individual users and passwords on the VPN3005, but that would give the network staff access to users' passwords as they create the accounts. The powers that be prefer that we continue using Active Directory, where users can change their passwords.

So, we need to use Active Directory for authentication but need to limit access to a subset of our Active Directory users. Can it be done? If so, how?

Reply to
Chip Old
Loading thread data ...

Does the 3005 authenticate via radius? I am sure it would, I used to use radius authentication on an ios router for vpn access. Just create a windows group called vpn users for example, add your users & configure IAS on a windows server. I also have a recollection that the

3005 handles password expiry also,whereas an ios router did not.
Reply to
mark.cosens

Use self signed certificate authentication for connecting. Only the subset of users you sign a certificate for will be able to connect.

Reply to
Rod Dorman

chip old is correct:

do you have an IAS RADIUS server in your forest? It isn't particularly difficult to bring up, especially if you want to evaluate this approach.

-- create an AD group called VPN Users

-- on the IAS create a remote access policy with a connection property something like (refine it as you like. this works pretty well.)

-- on the concentrator, add the IAS defined as a RADIUS server, configuring a matching PSK on the IAS and concentrator

--clone your current group for experiment, change the Authentication in the IPSEC tab to RADIUS with Expiry.

try it out. there are logs on the IAS server that you can work from. This should be enough, also, to get you to the Cisco documentation.

It works well. It is a good blend of AD administration controls and solid VPN.

Reply to
notaccie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.