Manage Learn to apply best practices and optimize your operations.

How can I allow and restrict user access on my VPN client?

Rainer Enders explains how to allow certain users to access a VPN client while restricting others.

How is it possible to allow certain end-users access to a VPN client, while restricting or limiting others? Is there a way to do this?

Typically, remote access networks are guarded by AAA (authentication, authorization and accounting) functionality,...

which starts with user provisioning. To accomplish this, a robust Identity Management system should be in place within any corporate access infrastructure. Also, a central user repository, such as LDAP or Active Directory, is typically at the heart of this central function.

The VPN access gateway ties into this infrastructure by verifying and authenticating remote access users against the central user directory. This ensures that any user is provisioned and, more importantly, de-provisioned correctly and in compliance with the user’s company profile. A sophisticated VPN access system will not only authenticate remote access users against the company user directory, but also synchronize users depending on LDAP attributes or Security Groups -- and map proper access privileges accordingly. So, depending on how the user’s identity is provisioned within the company, the VPN user management system maps specific access profiles to groups of users. Such access profiles, in turn, determine and enforce specific access restrictions for the dialup user. These restrictions might include authentication type, such as n-factor authentication; split tunneling; specific destination networks for which an SA (security association) is permitted; specific client firewall settings on the user access device; specific endpoint protection rules being enforced, allowing or preventing a user from establishing a VPN tunnel based on succinct criteria, such as operating system type and version; or other configuration parameters.

VPN client provisioning is another interesting point to bring up in this context. An advanced VPN access system will be capable of deploying user-specific access profiles via a secure provisioning process where the client’s personalized profile is managed from the VPN access management system and pushed to the VPN user the first time the connection is in a locked state. This prevents the user or any other third party from viewing or tampering with the VPN client profile. Obviously, such a requirement is easier to accomplish with a specialized client application, such as an IPsec VPN client, versus a browser-based application.

Email your VPN-related questions to [email protected].

This was last published in April 2012

Dig Deeper on WAN technologies and services