Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
5
Replies

Active Directory Authentication Using a RADIUS server

westernmotor
Level 1
Level 1

‎02-06-2009 12:44 PM - edited ‎02-21-2020 03:16 AM

I have a Cisco ASA 5505 device deployed at a client office. I am trying to set it up so that the VPN connections are authenticated to Active Directory. I have successfully setup IAS and the users can connect using the Cisco VPN client, but when they try to access file shares or Exchange server after connecting, they are prompted for domain username and password. Is there any way to configure it so that when connected to the ASA, they are authenticated to the domain as well?

0 Helpful
5 Replies 5

Ivan Martinon
Level 7
Level 7

‎02-06-2009 02:37 PM

This is expected behavior, and it is caused since the authentication performed by the ASA is only performing user authenticaiton and not domain login, to achieve domain login your users will have to enable "start before login" on their vpn client. What this will do is that after the user turns on the computer the vpn client then is launched and will establish a vpn connection, then they will enter the normal username and password, after the vpn is connected then they will be login into their workstation with the windows login, in that step domain login occurs

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to Ivan Martinon

‎02-06-2009 02:37 PM

forgot to specify, this feature is only available for WindowsXP or lower OS, windows VISTA does not support this feature.

0 Helpful

westernmotor
Level 1
Level 1
In response to Ivan Martinon

‎02-06-2009 08:06 PM

Ya, the problem with that is the PC is not a member of the domain. It's like this because the user is a remote employee who is rarely in the office and wants to work off of a local profile. We used to have him set up with the Microsoft VPN client which would authenticate him to the domain even if his PC didn't have a computer account in Active Directory. Since switching to the VPN client, he is no longer able to access anything once connected, without supplying AD credentials. Will this suggested remody work even if the PC has not been added to the domain?

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to westernmotor

‎02-09-2009 08:10 AM

There is no other way around this, VPN Client does not register users into domains once they log in, the only purpose of the Xauth, user authentication is to give one extra layer of security

0 Helpful

vincent-n
Level 3
Level 3
In response to westernmotor

‎09-30-2009 04:37 AM

I think you're right about not adding the PC to the domain. I normally build the PC at the office, got the user to actually log on inside the internal network so that the account is cached onto the PC. Then take the PC out and VPN in. Start before logon would only work once the PC is on the domain and the user account is cached on the computer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card