gethohtMemberJun 01, 2007 at 5:16 pm #125853
So here is my problem. I have a Cisco ASA5510, and I currently have one VPN-Tunnel Group setup for remote access(using the cisco client). We’ll call the first Group VPN1. I have it authenticating to a windows radius server. The radius server(IAS) has a policy that basically says “allow anyone in windows “vpngroup1″ access”. The VLAN that VPN1 has access to contains extremely sensitive data, and is highly restricted in terms of who can access it. I want to create a general use vpn group for the rest of the users. Lets say I create another VPN group on the cisco (VPN2). I want it to use the windows radius server for authentication. The problem is if I create a policy in IAS that says “allow anyone in “vpngroup2″ access”, then it gives vpngroup2 access to vpn1 as well as vpn2.
How can I configure IAS to give access to vpn1 ONLY to “vpngroup1” and vpn2 ONLY to “vpngroup2”
Should I ditch radius and use LDAP or kerberos? If so, then where would I configure the security policy?
A couple of notes:
I already have the first vpn setup successfully, so I have the radius setup correctly in AAA. I have the radius server setup as an “authentication server group” in the vpn group settings.
I *don’t* want to use a user list on the cisco, I want it integrated with AD.
I want to use only 1 radius server if possible.
I know that an unauthorized user would have to know the VPN group password for VPN1, so it would still be theoretically secure, but I would like to have the extra layer of security.
This is a toughie, and I’m stuck. I appreciate any help/suggestions anyone can offer.
You must be logged in to reply to this topic.