pix vpn radius authentication question

Discussion in 'Cisco' started by John Smith, Dec 1, 2004.

  1. John Smith

    John Smith Guest

    according to cisco:
    "Pix Firewall does not directly support WindowsNT/2000 domain
    authentication. To use Windows NT/2000 domain authentication with the PIX,
    use a RADIUS server such as CSACS, and configure the RADIUS server to
    authenticate against the NT/2000 directory."
    this is for client vpn access, btw.
    does this mean if i use MS's radius server (IAS) that I can configure the
    PIX to authenticate against it, and then use IAS to authenticate against
    active directory? Does anyone have any experience w/ this setup?

    also, i am currently using IAS to authenticate wireless users as well
    (aironet 1200's), just fyi...

    -TIA
     
    John Smith, Dec 1, 2004
    #1
    1. Advertisements

  2. John Smith

    mcaissie Guest

    I use PIX + IAS to authenticate Cisco VPN client using their Windows 2000
    domain account without problems.

    in PIX:
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host [IAS IP] [secret] timeout 5

    crypto map [cryptoname] client authentication partnerauth

    in IAS:
    -- add client
    ------PIX inside IP
    ------client-vendor = Radius Standard
    ------secret

    --add Remote access policy
    ----- with conditions NAS IP address matches [ PIX inside IP ]
    -----you can add a condition Windows-Group matches ( and create a group in
    wich you put the users you want to give access)
    -----in Profile - Authentication , you need to select only Unencrypted
    authentication


    User account must also have "Remote Access Permission " - "Allow access"
     
    mcaissie, Dec 1, 2004
    #2
    1. Advertisements

  3. John Smith

    John Smith Guest

    damn, one more thing to test/implement heheh...

    THANKS!



     
    John Smith, Dec 1, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.