Article by Syed Jahanzaib !
For setups, running Microsoft ISA server 2004 / 2006 , serving as VPN server for LAN users , or internet cable type setups where user id sharing is common among users , and you want to restrict that only (vpn) dialin users net should work, one id one session at a time (stop multiple login with same id). There are few solution available to your problem. Search GOOGLE and you will find many. There are some ‘limitlogin’ type addons available which limits users login to single session, But I achieve this by my my customized designed way. I can give you a kind of workaround. I recently setup this sort of scenario at my friends cable network.
I presume you have properly configured ISA and VPN Server (If not, please visit this link to setup VPN in ISA.
Create a user in Active directory (If you have domain environment, if not, create user in computer management), in user DIALIN properties assign him a FIX IP. (any series you like, in this case 192.168.x.x , remember for every user, you must assign the user a fix address
(This step is must , only those users net will work, to whom you assign ip from 192.168.x.x pool)
Now Create an allow rules in ISA SERVER to allow all traffic from ‘VPN Clients’ to ‘EXTERNAL’
Now In Policy Elements, Define new Computer set name ‘Fake Users’. Add ip range for Fake Users like 10.0.0.1-10.0.0.255, (Remember that these series internet will be blocked by ISA FW Rule that we will create below)
Now in ISA Server, create a DENY rule which DENY traffic from this FAKE USERS computer set / ip range (10.0.0.1-10.0.0.255) ‘TO’ ‘EXTERNAL’ only.
[This step is taken for those users who are not logged in via dialer, or for those who tries to use already connected user id/pwd for login, this way they will be able to connect to isa server, but they will be redirected to ACCESS DENIED page)
So now if a user id is already connected, and some smart azz tries to use the same iD PWD to connect, he will connect, but he will get ip from 10.0.0.1 series and thus internet access will be denied because of deny rule you created for 10.0.0.x series.
Only first connected user will get valid ip (that you define i.e 192.168.x.x) and only his net will work.
Few days back, I configured Radius Manager 3.9 on Linux alongwith Mikrotik 4.17 server with scratch card / refill system. Its really cool and customizable giant. You can Read the full story at :