Cisco Pix VPN Windows 2003 domain integration

Hi All,

We have a windows 2003 domain and are planning to install a Cisco Pix 515 firewall. I've already configured a few Pix firewalls for Pix to Pix tunnels, and basic client VPN sessions using pptp and a username and password contained in the pix's configuration. What we would like to do with the Cisco Pix 515 at this particulat site is allow users to connect to the network via a VPN connection, using their Active Directory username and password. How can we achieve this? Would we need to purchase any additional software or hardware.

Cheers.
jt003649Asked:
Who is Participating?
 
Tim HolmanCommented:
Cisco PIX offers no native support for either NT domain or Active Directory authentication.
Ways round this are to use CiscoSecure ACS as a TACACS server.  This provides the NTLM or AD link, and allows you to authenitcate users pretty much anyway you please -

CSACS-3.2-WIN-K9      Cisco Secure ACS 3.2 for Windows      $5,995      £4,117 (list price - you should be able to get 40% off this from a good supplier !)

You would need a platform on which to run this.

Alternatively, the VPN 3000 series does offer integrated NTLM / AD authenticaion.  A basic model such as the VPN 3005 is far cheaper than ACS, and will probably serve your needs better:

CVPN3005-E/FE-BUN      VPN3005:Chassis, 2FE, 200 user, client, SW, US PWR      $2,995      £2,057


0
 
jt003649Author Commented:
Thanks for the answer Tim. Looks like the VPN 3005 is the way forward.

Would it also be possible to use an Microsoft IAS server, integrated into AD, as a Radius server to authenticate using AD accounts?
0
 
Tim HolmanCommented:
You can use Microsoft RAS as a VPN Server, and use the MS VPN client (PPTP / IPSEC), but this is software based and you really need VPN accelerator hardware in order to use a reasonable amount of VPN clients.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
dpc453Commented:
You can also use the Cisco VPN client and the Radius server on Windows 2000/2003 Internet Authentication Services (IAS) to authenticate users using AD.  I just set this up the other day with a 515 (6.3) and a 2003 domain using the very detailed instructions from Cisco:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
0
 
jon47Commented:
tim holman is right, but missing a feature of the PIX.  Setup the "Internet Authentication Service" on windows, aka RADIUS, and configure the pix as per dpc453's note.

We've got a pix 515 authenticating against a windows active directory domain quite happily.
0
 
Tim HolmanCommented:
Good point !
PIX will happily do RADIUS / TACACS+ natively.... :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.