Solved

Cisco VPN Client and Radius Authentication

Posted on 2004-08-30
11
365 Views
Last Modified: 2013-11-16


I currently have a setup where a PIX 515 contacts a server on my network that runs the basic Internet Authentication Server (The one that comes with Win2k) as a RADIUS server.

This setup works and queries the AD to authenticate the user. However it appears that the user does not retain any Authentication token or that it is not being passed on. When a user attempts to access a resource i.e. \\server\share it prompts for a Windows userID and password. How can I configure this so that the user remains "Windows Authenticated". One caveat I am not speding 5K on Cisco ACS. Any ideas?

Thanks,

Justin
0
Comment
Question by:jlazanowski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11932975
Have the client set up to "enable start before logon"
This will start the client to authenticate and gain network access, then the user can use their domain credentials to log into the workstation and all credentials will pass to the resources..
If the workstation is not already a memeber of the Active Directory, then every resource will still request and require authentication..
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11933114
These machines do not belong to my company and therefore are not part of our AD. Is there any other way to do this without having the machine login to the Domain?

Thanks,
Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11933781
No. They will simply have to provide domain credentials once again after they login to the VPN.
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 1

Author Comment

by:jlazanowski
ID: 11933942
There isn't any other software out there that will keep an authentication token open other than ACS? Come on there are always more options

Justin <---- Still holding out faith.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11934192
I wouldn't hold out much hope since the Cisco client is not a Windows client and cannot proxy the authentication. The initial authentication is only "permission to come aboard" the network proper, and as you have discovered does not carry a token for subsequent requests to access network (AD) resources.
One option is to have the client PC in the AD domain.
One other technique that I have used to "fudge" this is to have the client PC in a workgroup with the same name as the AD domain.
Another option is to use MS PPTP client instead of the Cisco IPSEC client.

I also don't think ACS will help you in this even if you did invest in it.
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11934373
I have installed ACS and it did pass authentication to me and work like I wanted when I installed the trial. I was going to just buy it until I saw the price tag. I know Cisco likes to stick it to their customers but I think this is a little insane.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11934723
When you tested out ACS, was your test vpn PC a member of the domain?
0
 
LVL 1

Author Comment

by:jlazanowski
ID: 11934765
No. It was my home workstation that had no Domain Access.

I appreciate your help in all of this. I am going to leave this question open for a day or two to see if anyone else has two cents to throw into this one.

Justin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11934842
I'll be just as anxious to hear any other ideas....

0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question