Re: pix vpn radius authentication question

Discussion in 'Cisco' started by John Smith, Dec 2, 2004.

  1. John Smith

    John Smith Guest

    mcaissie,

    for configuring the cisco vpn client, do you fill in their domain
    information for group name/password?



    "mcaissie" <> wrote in message
    news:Cdqrd.251911$9b.119877@edtnps84...
    >I use PIX + IAS to authenticate Cisco VPN client using their Windows 2000
    > domain account without problems.
    >
    > in PIX:
    > aaa-server partnerauth protocol radius
    > aaa-server partnerauth (inside) host [IAS IP] [secret] timeout 5
    >
    > crypto map [cryptoname] client authentication partnerauth
    >
    > in IAS:
    > -- add client
    > ------PIX inside IP
    > ------client-vendor = Radius Standard
    > ------secret
    >
    > --add Remote access policy
    > ----- with conditions NAS IP address matches [ PIX inside IP ]
    > -----you can add a condition Windows-Group matches ( and create a group in
    > wich you put the users you want to give access)
    > -----in Profile - Authentication , you need to select only Unencrypted
    > authentication
    >
    >
    > User account must also have "Remote Access Permission " - "Allow access"
    >
    >
    > "John Smith" <> wrote in message
    > news:...
    >> according to cisco:
    >> "Pix Firewall does not directly support WindowsNT/2000 domain
    >> authentication. To use Windows NT/2000 domain authentication with the
    >> PIX, use a RADIUS server such as CSACS, and configure the RADIUS server
    >> to
    >> authenticate against the NT/2000 directory."
    >> this is for client vpn access, btw.
    >> does this mean if i use MS's radius server (IAS) that I can configure the
    >> PIX to authenticate against it, and then use IAS to authenticate against
    >> active directory? Does anyone have any experience w/ this setup?
    >>
    >> also, i am currently using IAS to authenticate wireless users as well
    >> (aironet 1200's), just fyi...
    >>
    >> -TIA
    >>

    >
    >
    John Smith, Dec 2, 2004
    #1
    1. Advertising

  2. John Smith

    mcaissie Guest


    >
    > for configuring the cisco vpn client, do you fill in their domain
    > information for group name/password?
    >


    No,

    Cisco Client Group authentication name/password refers to the
    PIX config line

    vpngroup [name] password [password]

    once you pass this level of authentication , you will get the logon screen
    were
    you can put your domain name/password

    >
    >
    > "mcaissie" <> wrote in message
    > news:Cdqrd.251911$9b.119877@edtnps84...
    >>I use PIX + IAS to authenticate Cisco VPN client using their Windows
    >>2000
    >> domain account without problems.
    >>
    >> in PIX:
    >> aaa-server partnerauth protocol radius
    >> aaa-server partnerauth (inside) host [IAS IP] [secret] timeout 5
    >>
    >> crypto map [cryptoname] client authentication partnerauth
    >>
    >> in IAS:
    >> -- add client
    >> ------PIX inside IP
    >> ------client-vendor = Radius Standard
    >> ------secret
    >>
    >> --add Remote access policy
    >> ----- with conditions NAS IP address matches [ PIX inside IP ]
    >> -----you can add a condition Windows-Group matches ( and create a group
    >> in
    >> wich you put the users you want to give access)
    >> -----in Profile - Authentication , you need to select only Unencrypted
    >> authentication
    >>
    >>
    >> User account must also have "Remote Access Permission " - "Allow access"
    >>
    >>
    >> "John Smith" <> wrote in message
    >> news:...
    >>> according to cisco:
    >>> "Pix Firewall does not directly support WindowsNT/2000 domain
    >>> authentication. To use Windows NT/2000 domain authentication with the
    >>> PIX, use a RADIUS server such as CSACS, and configure the RADIUS server
    >>> to
    >>> authenticate against the NT/2000 directory."
    >>> this is for client vpn access, btw.
    >>> does this mean if i use MS's radius server (IAS) that I can configure
    >>> the
    >>> PIX to authenticate against it, and then use IAS to authenticate against
    >>> active directory? Does anyone have any experience w/ this setup?
    >>>
    >>> also, i am currently using IAS to authenticate wireless users as well
    >>> (aironet 1200's), just fyi...
    >>>
    >>> -TIA
    >>>

    >>
    >>

    >
    >
    mcaissie, Dec 2, 2004
    #2
    1. Advertising

  3. John Smith

    John Smith Guest

    superduper..
    thanks! i got it to work!

    "mcaissie" <> wrote in message
    news:zrLrd.265325$9b.250617@edtnps84...
    >
    >>
    >> for configuring the cisco vpn client, do you fill in their domain
    >> information for group name/password?
    >>

    >
    > No,
    >
    > Cisco Client Group authentication name/password refers to the
    > PIX config line
    >
    > vpngroup [name] password [password]
    >
    > once you pass this level of authentication , you will get the logon screen
    > were
    > you can put your domain name/password
    >
    >>
    >>
    >> "mcaissie" <> wrote in message
    >> news:Cdqrd.251911$9b.119877@edtnps84...
    >>>I use PIX + IAS to authenticate Cisco VPN client using their Windows
    >>>2000
    >>> domain account without problems.
    >>>
    >>> in PIX:
    >>> aaa-server partnerauth protocol radius
    >>> aaa-server partnerauth (inside) host [IAS IP] [secret] timeout 5
    >>>
    >>> crypto map [cryptoname] client authentication partnerauth
    >>>
    >>> in IAS:
    >>> -- add client
    >>> ------PIX inside IP
    >>> ------client-vendor = Radius Standard
    >>> ------secret
    >>>
    >>> --add Remote access policy
    >>> ----- with conditions NAS IP address matches [ PIX inside IP ]
    >>> -----you can add a condition Windows-Group matches ( and create a group
    >>> in
    >>> wich you put the users you want to give access)
    >>> -----in Profile - Authentication , you need to select only Unencrypted
    >>> authentication
    >>>
    >>>
    >>> User account must also have "Remote Access Permission " - "Allow
    >>> access"
    >>>
    >>>
    >>> "John Smith" <> wrote in message
    >>> news:...
    >>>> according to cisco:
    >>>> "Pix Firewall does not directly support WindowsNT/2000 domain
    >>>> authentication. To use Windows NT/2000 domain authentication with the
    >>>> PIX, use a RADIUS server such as CSACS, and configure the RADIUS server
    >>>> to
    >>>> authenticate against the NT/2000 directory."
    >>>> this is for client vpn access, btw.
    >>>> does this mean if i use MS's radius server (IAS) that I can configure
    >>>> the
    >>>> PIX to authenticate against it, and then use IAS to authenticate
    >>>> against
    >>>> active directory? Does anyone have any experience w/ this setup?
    >>>>
    >>>> also, i am currently using IAS to authenticate wireless users as well
    >>>> (aironet 1200's), just fyi...
    >>>>
    >>>> -TIA
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    John Smith, Dec 3, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,277
    tejlor
    Nov 25, 2003
  2. Spoettel Otmar
    Replies:
    0
    Views:
    557
    Spoettel Otmar
    May 12, 2004
  3. John Smith
    Replies:
    2
    Views:
    3,206
    John Smith
    Dec 1, 2004
  4. Replies:
    0
    Views:
    482
  5. DCS
    Replies:
    2
    Views:
    5,077
    eshan_amiran
    Mar 26, 2009
Loading...

Share This Page