Solved

Active directory authenticated Cisco VPN users

Posted on 2006-11-16
8
605 Views
Last Modified: 2012-06-27
Hello there.
I have setup authentication to be Active directory on my Cisco 3030 VPN concentrator and created 2 groups (one for admins and the other for normal users), both authenticating against a windows 2003 domain controller.

I've allocated 2 different IP pools for the said groups and restricting user access based on IP address on my firewall, which sits right after the VPN concentrator.

My problem is, users who are part of the normal user group can get admin access by just copying the profile from an admin user and consequently get admin access onto the systems.

Is there anyway I can prevent this from happening using Active directory features ?

Hope I made myself clear.

Thanks in advance

Shiv
0
Comment
Question by:shivanthan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
8 Comments
 
LVL 10

Accepted Solution

by:
Phadke_hemant earned 200 total points
ID: 17954209
how come they copy the admin user profile? this means they have rights on the drive and mostly they are member of loca admin on the machines
remove the normal users from the local admin group from all the machines and recreate their profiles so that they cannot copy the admin profile and will not get the rights
0
 

Author Comment

by:shivanthan
ID: 17955656
Hi..thanks for the comment.
I already had a look at this option but need one which uses features of active directory and identify the users differently, and not letting them use the profile which is not meant for them.

Thanks
Shiv
0
 
LVL 5

Expert Comment

by:snowsurfer
ID: 17956500
Are you using RADIUS?
0
 
LVL 10

Expert Comment

by:Phadke_hemant
ID: 17963121
users can use other profile only if they have rights on that machine so you need to remove users from Local Administrators group on those machines and addd them to power users only. only this is not sufficient as they have already copied the admin profile so you need to delete the old profiles also
0
 

Author Comment

by:shivanthan
ID: 17963192
Yes, I am using Microsoft IAS server for the authentication.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question