Re: IOS SSLVPN AND ACTIVE DIRECTORY

Thanks Joe you have been extremely helpful , you are right i should
to read more on it and i will , i just needed answers quick.

You have been really helpful even though at times i was tempted to
call you a jerk :) but i am at your mercy since i need the help :)

On 11/15/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
> I really suggest you read the tech docs on this technology if you are going
> to be deploying it and supporting it...
>
> http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a0080720346.shtml
>
> WHY WOULDN'T YOU READ IT?
>
> How do you learn things?
>
> Who is paying you if you are not willing to even take basic steps to improve
> your knowledge of this basic technology?
>
> If you did read it,
>
> You would see this command under the SSL VPN group policy
>
> max-users 25
>
>
> Now regarding QOS for SSL VPN users;
>
> The best approach for this is to implement a wred and cbwfq policy for all
> traffic and make use qos policies that effectively insure low latency
> traffic (i.e. voice) work regardless of what someone is pushing over their
> sslvpn connection.
>
> Additionally, You if you want the entire ssl vpn process to be limited out
> of an interface, I would simply make a car policy (i.e. rate-limit commands)
> and match and acl where the source of the traffic is the webvpn-ip and the
> destination is any). But you will have to play with this, as I cant recall
> how rate-limit works on traffic FROM the router.
>
> -Joe
>
>
>
>
>
> -----Original Message-----
> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
> Sent: Sunday, November 14, 2010 2:52 PM
> To: Joseph L. Brunner
> Cc: ccielab_at_groupstudy.com
> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>
> Is there a way to limit bandwidth and number of users utilizing the
> sslvpn connection , i am thinking QOS policing inbound , is dat a
> valid solution and does anyone have other ideas
>
> On 11/12/10, Beauty <fordownloadsccie_at_gmail.com> wrote:
>> Thanks a lot Joe , its very clear now
>>
>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>> Block using devices like usb flash hd's, external hd, etc.
>>>
>>> -----Original Message-----
>>> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
>>> Sent: Friday, November 12, 2010 10:58 AM
>>> To: Joseph L. Brunner
>>> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>>>
>>> please can you explain what you mean by "file" access , i am quite
>>> new in the cisco security world.
>>>
>>> so pardon my ignorance.
>>>
>>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>>> Yes you can disabled "file" access!
>>>>
>>>> http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.shtml#II1
>>>>
>>>> "Captain, I'm detecting much win in this sector"
>>>>
>>>>
>>>> -Joe
>>>>
>>>> -----Original Message-----
>>>> From: Beauty [mailto:fordownloadsccie_at_gmail.com]
>>>> Sent: Friday, November 12, 2010 10:37 AM
>>>> To: Joseph L. Brunner
>>>> Cc: ccielab_at_groupstudy.com
>>>> Subject: Re: IOS SSLVPN AND ACTIVE DIRECTORY
>>>>
>>>> Thanks Joe for the response ,
>>>> Thanks for also laughing at my ignorance ,
>>>> Also i want to know if the cisco secure desktop also prevents users
>>>> from storing info accessed over the vpn on external devices like flash
>>>> drives, external HDD , cd roms etc , if not is there any cisco or
>>>> network solution for this.
>>>>
>>>>
>>>>
>>>> On 11/12/10, Joseph L. Brunner <joe_at_affirmedsystems.com> wrote:
>>>>> LOL,
>>>>>
>>>>> Yeah quite easily;
>>>>>
>>>>> Simply configure the standard radius groups you always configure and
>>>>> expose
>>>>> AD via radius in IAS in 2003 AD, or NPS in 2008
>>>>>
>>>>>
>>>>> aaa authentication login msftad group radius
>>>>>
>>>>> aaa authorization network msftad group radius
>>>>>
>>>>> radius-server host 10.110.20.10 auth-port 1645 acct-port 1646 key 7
>>>>> 0991430B2A5411001
>>>>>
>>>>> webvpn gateway somegw
>>>>> webvpn context some-context
>>>>> policy group some-policy
>>>>> default-group-policy some-policy
>>>>> aaa authentication list msftad
>>>>> aaa authorization list msftad
>>>>> gateway somegw
>>>>>
>>>>> then on AD setup the IAS/NPS (here is some notes for windows 2008
>>>>> server's
>>>>> Network Policy Server (NPS)
>>>>>
>>>>> http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3
>>>>>
>>>>> -Joe
>>>>>
>>>>> -----Original Message-----
>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>>>> Beauty
>>>>> Sent: Friday, November 12, 2010 10:07 AM
>>>>> To: ccielab_at_groupstudy.com
>>>>> Subject: OT: IOS SSLVPN AND ACTIVE DIRECTORY
>>>>>
>>>>> Hi All,
>>>>> Is it possible to configure IOS sslvpn to authenticate users against
>>>>> active directory , if yes can anyone provide suitable links.
>>>>>
>>>>> --
>>>>> Warm Regards ,
>>>>> Beauty
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Warm Regards ,
>>>> Beauty
>>>>
>>>
>>>
>>> --
>>> Warm Regards ,
>>> Beauty
>>>
>>
>>
>> --
>> Warm Regards ,
>> Beauty
>>
>
>
> --
> Warm Regards ,
> Beauty
>

-- 
Warm Regards ,
Beauty
Blogs and organic groups at http://www.ccie.net