Article by Syed Jahanzaib !
For setups, running Microsoft ISA server 2004 / 2006 , serving as VPN server for LAN users , or internet cable type setups where user id sharing is common among users , and you want to restrict that only (vpn) dialin users net should work, one id one session at a time (stop multiple login with same id). There are few solution available to your problem. Search GOOGLE and you will find many. There are some ‘limitlogin’ type addons available which limits users login to single session, But I achieve this by my my customized designed way. I can give you a kind of workaround. I recently setup this sort of scenario at my friends cable network.
I presume you have properly configured ISA and VPN Server (If not, please visit this link to setup VPN in ISA.
http://www.isaserver.org/articles/2004vpnserver.html
Create a user in Active directory (If you have domain environment, if not, create user in computer management), in user DIALIN properties assign him a FIX IP. (any series you like, in this case 192.168.x.x , remember for every user, you must assign the user a fix address
(This step is must , only those users net will work, to whom you assign ip from 192.168.x.x pool)
Now Create an allow rules in ISA SERVER to allow all traffic from ‘VPN Clients’ to ‘EXTERNAL’
Now In Policy Elements, Define new Computer set name ‘Fake Users’. Add ip range for Fake Users like 10.0.0.1-10.0.0.255, (Remember that these series internet will be blocked by ISA FW Rule that we will create below)
Now in ISA Server, create a DENY rule which DENY traffic from this FAKE USERS computer set / ip range (10.0.0.1-10.0.0.255) ‘TO’ ‘EXTERNAL’ only.
[This step is taken for those users who are not logged in via dialer, or for those who tries to use already connected user id/pwd for login, this way they will be able to connect to isa server, but they will be redirected to ACCESS DENIED page)
So now if a user id is already connected, and some smart azz tries to use the same iD PWD to connect, he will connect, but he will get ip from 10.0.0.1 series and thus internet access will be denied because of deny rule you created for 10.0.0.x series.
Only first connected user will get valid ip (that you define i.e 192.168.x.x) and only his net will work.
Few days back, I configured Radius Manager 3.9 on Linux alongwith Mikrotik 4.17 server with scratch card / refill system. Its really cool and customizable giant. You can Read the full story at :
https://aacable.wordpress.com/2011/07/05/a-network-design-glass-line-pvt-ltd-june-2011/
Regard’s
Syed Jahanzaib
Hi, Jahanzaib bhai,
Assalam-o-alaiqum
Thank for good reply…… you did’t post a link of complete mikrotik on ur last post
Few days back, I configured Radius Manager 3.9 on Linux alongwith Mikrotik 4.17 server with scratch card / refill system. Its really cool and customizable giant. You can Read the full story at :????????Link??????
LikeLike
Comment by Irfan Alam — January 13, 2012 @ 6:52 PM
Open google.com and search
aacable howto setup mini isp
OR try this.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 14, 2012 @ 10:46 AM
AoA, Jahanzaib bhai what shoud be the internal ip of this Isa server is it from 10.0.0.1-10.0.0.255 or 192.168.x.x range and also tell me what should be the ip pool for dhcp ???
LikeLike
Comment by faizan — March 14, 2012 @ 1:27 PM
Examples for IP scheming (modify it as per your Network)
ISA LAN = 192.168.2.1
DHCP for LAN = 192.168.2.10-192.168.2.255
POOL FOR VPN Users = any like 172.16.0.1-172.16.0.255
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — March 14, 2012 @ 3:20 PM
thanks Jahanzaib bhai !i just want to know that according to your article deny rule should be for lan ip pool that is (192.168.2.1-192.168.2.255) and allow rule for vpn users (172.16.0.1-172.16.0.255) correct me if i am wrong……
LikeLike
Comment by faizan — March 14, 2012 @ 11:50 PM