topic Re: PIX and Microsoft IAS in Network Security

PIX and Microsoft IAS

curtiskline — Fri, 21 Feb 2020 05:59:26 GMT

I've seen several references to the use of MS IAS as a RADIUS server for PIX VPN authentication. I think this would be a good solution for us, but I'm wondering if anyone has followed Cisco's instructions and could relate their experience with installing, configuring, and maintaining this setup.

Any information would be greatly appreciated.

Thanks,

Curtis

Re: PIX and Microsoft IAS

bsaltbaek — Wed, 27 Feb 2002 17:34:42 GMT

Hi Curtis.

Our company uses Windows 2000 IAS as authentication for our PIX (sw 6.1.0) with Cisco's VPN client 3.x to let our employes, customers and partners access our local network.

It tool me quite some time to set it up since Cisco does not give any setup information for Windows NT4 IAS or W2K IAS. They only describe how a RADIUS-server in general should behave.

But, now it works. And it works GREAT. We just have to add an Windows user account to a Windows user group and then the user do or do not have access to use VPN. Very simple.

Actually, we have different Windows user groups with dirrent users. Based on the group the user is in he is mapped to a specific "access-list" on the PIX. This way we can allow customers and partners access to parts of our local network via VPN by controlling it all in the Windows domain.

Feel free to ask for a setup example (I think I posted one some months ago here in the forum).

Regards,

Bjarne Saltbaek (W2K IAS wizard?!? :-D)

Re: PIX and Microsoft IAS

curtiskline — Wed, 27 Feb 2002 18:34:39 GMT

Bjarne,

Thanks for the info! Have you seen the following document on Cisco's website? It seems to cover the Windows IAS setup in some detail...

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html

Also, do your VPN users run the Cisco VPN client or just the Microsoft built-in client?

Curtis

Re: PIX and Microsoft IAS

bsaltbaek — Wed, 27 Feb 2002 21:14:39 GMT

Hi Curtis.

No, I haven't seen/read that.

And yes - in "some details". It doesn't tell you about access-list-mapping.

The example only allows global access to the network.

If you ask me. The document is worthless 😞

(or usefull if you can live with low security)

What if your company has a dial-in pool as well as VPN-access. Is the users that uses VPN allowed to use dial-in. In the cisco example yes.

In our company: really bad security!

And, our users run the Cisco VPN Client 3.x (downloaded from http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-3des) - not the unsecure PPTP in Windows 2000 (IMHO).

Regards,

Bjarne

Re: PIX and Microsoft IAS

curtiskline — Wed, 27 Feb 2002 21:57:08 GMT

Bjarne,

Any chance that my Windows server admin coworker and/or I could email you for more info on your environment and config? If so, send me an email at ckline@housing.ucsb.edu and I'll reply.

Thanks for your help!

Curtis

Re: PIX and Microsoft IAS

bsaltbaek — Fri, 01 Mar 2002 11:37:46 GMT

Hi Curtis.

I haven't forgot your request.

I'm putting down a webpage with addon screen dumps, how to set up an VPN solution with W2K IAS, PIX and 3 interfaces (outside,inside,dmz) and NAT.

I'm allmost half way 🙂

Regards,

Bjarne

Re: PIX and Microsoft IAS

rlew — Thu, 07 Mar 2002 22:01:41 GMT

Hi Bjarne,

I am currently looking at the same solution for Cisco VPN Client, and will be much appreciated if you can keep me posted.

rlew@mdwfcu.com

Regards

Ryan

Re: PIX and Microsoft IAS

jmcburnett — Wed, 24 Apr 2002 02:11:14 GMT

I am in the same position Curtis is. I have not seen a post with your example.

Would you repost?

Thanks,

Jim

Re: PIX and Microsoft IAS

bsaltbaek — Wed, 24 Apr 2002 14:40:42 GMT

Greetings all.

Have a look at a web page I have set up at:

http://www.saltbaek.dk/cisco/

This page is a combination of Cisco's poor instructions at http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html and my companys VPN setup.

Please use the email on the webpage for comments/replys.

Sorry to Curtis for the late reply (I have been busy :-))

Regards,

Bjarne