Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
0
Helpful
2
Replies

PIX515 and VPN authentication

tfrench01
Level 1
Level 1

‎01-18-2005 10:46 AM - edited ‎03-10-2019 01:58 PM

I am new to VPN. The idea is to have remote client VPN back to the home office from any place in the world. We are using laptop with latest Cisco VPN client, accessing our PIX515 in the home office. I am able to see the shares on the network, we are using group authentication. I want the MS2K3 server to be used in IAS, as the RADIUS, for the clients accessing this network. I do not know how to make it so when they VPN in, they are asked to re-authenticate with the domain.

What is needed to make this happen.?

Thanks

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎01-18-2005 07:13 PM

Be aware that VPN and domain authentication are two separate things. To enable VPN authentication on the PIX, to a Radius server, you will need something like the following:

crypto map client authentication vpnauth

aaa-server vpnauth protocol radius

aaa-server vpnauth (inside) host x.x.x.x cisco123

Your VPN users should now be prompted for a username/password when they VPN in, and the PIX will reference the IAS Radius server at x.x.x.x to authenticate the user. See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml for details.

All this will give them however, is access into your network. They will not have "joined the domain" per se, they are just a host sitting logically on the inside of your PIX now. If you really want them to be authenticated to the domain properly, then on the VPN client enable the "Start before Login" feature. When they next boot up their PC and press CTRL-ALT-DEL to login, the VPN client will pop up allowing them to create the VPN connection to the PIX first. Once that is done they can then log into the Windows domain as normal and everything should look just as though they had logged in on the physical network (login scripts will run, drives will be mapped, etc).

Unfortunately with Win2k/XP once they have logged into Windows initially using cached credentials (because they were not on the local network), there's no way to then force them to re-login again once the VPN is up. You have to bring the VPN up BEFORE they log into Windows so that everything runs smoothly.

0 Helpful

tfrench01
Level 1
Level 1
In response to gfullage

‎01-19-2005 05:18 AM

excellent reply, that helps me.

Thanks for taking the time to explain it.

0 Helpful
Customers Also Viewed These Support Documents