Solved

Cisco VPN Client and Radius Authentication

Posted on 2004-08-30
11
359 Views
Last Modified: 2013-11-16


I currently have a setup where a PIX 515 contacts a server on my network that runs the basic Internet Authentication Server (The one that comes with Win2k) as a RADIUS server.

This setup works and queries the AD to authenticate the user. However it appears that the user does not retain any Authentication token or that it is not being passed on. When a user attempts to access a resource i.e. \\server\share it prompts for a Windows userID and password. How can I configure this so that the user remains "Windows Authenticated". One caveat I am not speding 5K on Cisco ACS. Any ideas?

Thanks,

Justin
0
Comment
Question by:jlazanowski
  • 5
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Have the client set up to "enable start before logon"
This will start the client to authenticate and gain network access, then the user can use their domain credentials to log into the workstation and all credentials will pass to the resources..
If the workstation is not already a memeber of the Active Directory, then every resource will still request and require authentication..
0
 
LVL 1

Author Comment

by:jlazanowski
Comment Utility
These machines do not belong to my company and therefore are not part of our AD. Is there any other way to do this without having the machine login to the Domain?

Thanks,
Justin
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No. They will simply have to provide domain credentials once again after they login to the VPN.
0
 
LVL 1

Author Comment

by:jlazanowski
Comment Utility
There isn't any other software out there that will keep an authentication token open other than ACS? Come on there are always more options

Justin <---- Still holding out faith.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
I wouldn't hold out much hope since the Cisco client is not a Windows client and cannot proxy the authentication. The initial authentication is only "permission to come aboard" the network proper, and as you have discovered does not carry a token for subsequent requests to access network (AD) resources.
One option is to have the client PC in the AD domain.
One other technique that I have used to "fudge" this is to have the client PC in a workgroup with the same name as the AD domain.
Another option is to use MS PPTP client instead of the Cisco IPSEC client.

I also don't think ACS will help you in this even if you did invest in it.
0
 
LVL 1

Author Comment

by:jlazanowski
Comment Utility
I have installed ACS and it did pass authentication to me and work like I wanted when I installed the trial. I was going to just buy it until I saw the price tag. I know Cisco likes to stick it to their customers but I think this is a little insane.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
When you tested out ACS, was your test vpn PC a member of the domain?
0
 
LVL 1

Author Comment

by:jlazanowski
Comment Utility
No. It was my home workstation that had no Domain Access.

I appreciate your help in all of this. I am going to leave this question open for a day or two to see if anyone else has two cents to throw into this one.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I'll be just as anxious to hear any other ideas....

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now