?
Solved

Cisco VPN Client and Radius Authentication

Posted on 2004-08-30
11
Medium Priority
?
368 Views
Last Modified: 2013-11-16


I currently have a setup where a PIX 515 contacts a server on my network that runs the basic Internet Authentication Server (The one that comes with Win2k) as a RADIUS server.

This setup works and queries the AD to authenticate the user. However it appears that the user does not retain any Authentication token or that it is not being passed on. When a user attempts to access a resource i.e. \\server\share it prompts for a Windows userID and password. How can I configure this so that the user remains "Windows Authenticated". One caveat I am not speding 5K on Cisco ACS. Any ideas?

Thanks,

Justin
0
Comment
Question by:jlazanowski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11932975
Have the client set up to "enable start before logon"
This will start the client to authenticate and gain network access, then the user can use their domain credentials to log into the workstation and all credentials will pass to the resources..
If the workstation is not already a memeber of the Active Directory, then every resource will still request and require authentication..
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11933114
These machines do not belong to my company and therefore are not part of our AD. Is there any other way to do this without having the machine login to the Domain?

Thanks,
Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11933781
No. They will simply have to provide domain credentials once again after they login to the VPN.
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 1

Author Comment

by:jlazanowski
ID: 11933942
There isn't any other software out there that will keep an authentication token open other than ACS? Come on there are always more options

Justin <---- Still holding out faith.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 11934192
I wouldn't hold out much hope since the Cisco client is not a Windows client and cannot proxy the authentication. The initial authentication is only "permission to come aboard" the network proper, and as you have discovered does not carry a token for subsequent requests to access network (AD) resources.
One option is to have the client PC in the AD domain.
One other technique that I have used to "fudge" this is to have the client PC in a workgroup with the same name as the AD domain.
Another option is to use MS PPTP client instead of the Cisco IPSEC client.

I also don't think ACS will help you in this even if you did invest in it.
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11934373
I have installed ACS and it did pass authentication to me and work like I wanted when I installed the trial. I was going to just buy it until I saw the price tag. I know Cisco likes to stick it to their customers but I think this is a little insane.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11934723
When you tested out ACS, was your test vpn PC a member of the domain?
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11934765
No. It was my home workstation that had no Domain Access.

I appreciate your help in all of this. I am going to leave this question open for a day or two to see if anyone else has two cents to throw into this one.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11934842
I'll be just as anxious to hear any other ideas....

0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question