Answer

How can I allow and restrict user access on my VPN client?

How is it possible to allow certain end-users access to a VPN client, while restricting or limiting others? Is there a way to do this?

    Requires Free Membership to View

Typically, remote access networks are guarded by AAA (authentication, authorization and accounting) functionality, which starts with user provisioning. To accomplish this, a robust Identity Management system should be in place within any corporate access infrastructure. Also, a central user repository, such as LDAP or Active Directory, is typically at the heart of this central function.

The VPN access gateway ties into this infrastructure by verifying and authenticating remote access users against the central user directory. This ensures that any user is provisioned and, more importantly, de-provisioned correctly and in compliance with the user’s company profile. A sophisticated VPN access system will not only authenticate remote access users against the company user directory, but also synchronize users depending on LDAP attributes or Security Groups -- and map proper access privileges accordingly. So, depending on how the user’s identity is provisioned within the company, the VPN user management system maps specific access profiles to groups of users. Such access profiles, in turn, determine and enforce specific access restrictions for the dialup user. These restrictions might include authentication type, such as n-factor authentication; split tunneling; specific destination networks for which an SA (security association) is permitted; specific client firewall settings on the user access device; specific endpoint protection rules being enforced, allowing or preventing a user from establishing a VPN tunnel based on succinct criteria, such as operating system type and version; or other configuration parameters.

VPN client provisioning is another interesting point to bring up in this context. An advanced VPN access system will be capable of deploying user-specific access profiles via a secure provisioning process where the client’s personalized profile is managed from the VPN access management system and pushed to the VPN user the first time the connection is in a locked state. This prevents the user or any other third party from viewing or tampering with the VPN client profile. Obviously, such a requirement is easier to accomplish with a specialized client application, such as an IPsec VPN client, versus a browser-based application.

Email your VPN-related questions to editor@searchenterprisewan.com.

This was first published in April 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: