Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco VPN Client and Radius Authentication

Posted on 2004-08-30
11
Medium Priority
?
370 Views
Last Modified: 2013-11-16


I currently have a setup where a PIX 515 contacts a server on my network that runs the basic Internet Authentication Server (The one that comes with Win2k) as a RADIUS server.

This setup works and queries the AD to authenticate the user. However it appears that the user does not retain any Authentication token or that it is not being passed on. When a user attempts to access a resource i.e. \\server\share it prompts for a Windows userID and password. How can I configure this so that the user remains "Windows Authenticated". One caveat I am not speding 5K on Cisco ACS. Any ideas?

Thanks,

Justin
0
Comment
Question by:jlazanowski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11932975
Have the client set up to "enable start before logon"
This will start the client to authenticate and gain network access, then the user can use their domain credentials to log into the workstation and all credentials will pass to the resources..
If the workstation is not already a memeber of the Active Directory, then every resource will still request and require authentication..
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11933114
These machines do not belong to my company and therefore are not part of our AD. Is there any other way to do this without having the machine login to the Domain?

Thanks,
Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11933781
No. They will simply have to provide domain credentials once again after they login to the VPN.
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 1

Author Comment

by:jlazanowski
ID: 11933942
There isn't any other software out there that will keep an authentication token open other than ACS? Come on there are always more options

Justin <---- Still holding out faith.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 11934192
I wouldn't hold out much hope since the Cisco client is not a Windows client and cannot proxy the authentication. The initial authentication is only "permission to come aboard" the network proper, and as you have discovered does not carry a token for subsequent requests to access network (AD) resources.
One option is to have the client PC in the AD domain.
One other technique that I have used to "fudge" this is to have the client PC in a workgroup with the same name as the AD domain.
Another option is to use MS PPTP client instead of the Cisco IPSEC client.

I also don't think ACS will help you in this even if you did invest in it.
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11934373
I have installed ACS and it did pass authentication to me and work like I wanted when I installed the trial. I was going to just buy it until I saw the price tag. I know Cisco likes to stick it to their customers but I think this is a little insane.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11934723
When you tested out ACS, was your test vpn PC a member of the domain?
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11934765
No. It was my home workstation that had no Domain Access.

I appreciate your help in all of this. I am going to leave this question open for a day or two to see if anyone else has two cents to throw into this one.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11934842
I'll be just as anxious to hear any other ideas....

0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question