User Authentication Problems

Posted on 2004-10-28
Last Modified: 2010-04-09
OK This is a bit long to set up the scenerio so here goes.

"The Customer", has a multi-site network spanning the country. All connected via T-1's. Here is the way traffic routes from outside IN.......

Cisco 1720 Router (Basic Point to Point T1) , Cisco PIX Firewall V6.3 with multiple access-lists and statics, Cisco Router 2600 where all the t's come in. This unit is the Primary (Default) Gateway for all clients on the network. From there it spans into a Ready for this (10mb HUB not a switch A HUB) that connects everyone at the main site together.

OK now for traffic going INSIDE to OUT...

Start at the client go to a cisco 2600 (routed either internally or to the PIX) hits the pix and then the PIX authenticates the client  back to a websense Server to allow or not to allow access (ON PORT's 80,21,and 8080)

Now the FUN Part...  Both servers are DC's within the Active Directory "company-name". previously they only had 1 server and before it cratored it's ADDN was "comapnayname" with out the hyphen. They have rolled out well over 70 PC's nationwide that authenticate to "company-name" and the existing 60-100 with "companyname" THe ones with the "companyname" ADDN are mixed 98/XP Machines.  THe ones with "company-name" are mainly XP.

The problem is, that users that try to access the internet with the filtering turned on, are prompted with a username and password when they are not in the "company-name" Domain.  So the first part of the question is this.  HOW CAN I MERGE THE 2 ADDN's TOGETHER WITHOUT TOUCHING EACH AND EVERY "companyname" PC?

Now on to the second part. and i am sure i know the answer to this.BUT  since this whole network is a ROUTED network and doesn't use any other protocols, I am sure the latency to the servers and to the internet are coming from lost packets from the 10mb HUBS....The question on the second part is this, provided that the 10mb HUBs aren't the problem, is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?

And Lastly, does anyone know of a logon script that i can use to change a machines domain status and or workgroup membership? I know the 3rd question kinda contradicts the first but i have to get to the point where they can authenticate before i can use login scripts.

I know this is a bit to decode, so i am starting this one out with 500 points (hope i can go higher)..  

Thanks Experts!!!!!!!
Question by:pperry76

    Author Comment

    ahhhhhhh hell only 1 part of this pretains to firewall...  sorry guys..  should i repost into WIndows 2000 catagory? or do you think i will get answers here?
    LVL 51

    Expert Comment

    AFAIK only by using M$'s trusted relationship

    > .. is there better performace  ..
    as you describe your network, I assume that you have anything setup as M$ default, means: never touched anything except told to do so, P&P == plug&pay
    In other words, I assume that you network's main puporse is to route and deliver a huge amount of useless broadcast packets.
    If that's true, you get a much better performance when you simply configure your clients, in particular:
      1. stop any browser broadcast like "I want to be the master browser"
      2. use NetBIOS over TCP instead of SMB

    Author Comment

    so your saying i have to touch each machine to stop the master browser broadcast traffic...  the problem with the trusted relationships is that there is now server in companyname only company-name .....  would utilizing the netbios settings in DHCP help any?  

    Maybe that would atleast get me able to run login scripts which takes me to changing of the computers domain via login script part.
    LVL 51

    Expert Comment

    > .. i have to touch each machine to stop the master browser broadcast traffic
    yes. Or if you have logon scripts you can do it there

    > would utilizing the netbios settings in DHCP help any?  
    i.g. yes, but I know of some w2k, NT, XP which do not accept settings there proper. You have to check yourself

    Author Comment

    My team and I were able to come up with a solution.

    Setup a temp NT 4.0 Server to handle all the clients on the "companyname" domain. We chose NT4 rather than 2003 or 2000 incase the windows nt4 and 9x clients didn't have the active directory connector installed. We will then change each machine via login script or some other means to point to the new "company-name" domain.

    ----is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?--------------------------------------------------------------------------------------------------------------------
    The UDP transport for authentication is better in a large envorment, but the TCP works FINE for less than 200 users.
    Websense has the ability to PREPEND the Domain Name of the users as long as they are listed in the Active Directory. So for the clients that are not logging into the "company-name" domain. they recieve a UN&PW box when they attempt to surf a filtered protocol outside the local WAN or LAN.

    ---------logon script that i can use to change a machines domain status and or workgroup membership?------------------------
    We haven't gotten to this part yet.  We have a temp. fix in place now to facilitate what we need. So if anyone knows of a way to do this please leave a post here.--------------------------------------------------------------------------------------------------

    Thanks to all for your help

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Want to pick and choose which updates you receive? Feel free to check out this quick video on how to manage your email notifications.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now