User Authentication Problems
Posted on 2004-10-28
OK This is a bit long to set up the scenerio so here goes.
"The Customer", has a multi-site network spanning the country. All connected via T-1's. Here is the way traffic routes from outside IN.......
Cisco 1720 Router (Basic Point to Point T1) , Cisco PIX Firewall V6.3 with multiple access-lists and statics, Cisco Router 2600 where all the t's come in. This unit is the Primary (Default) Gateway for all clients on the network. From there it spans into a Ready for this (10mb HUB not a switch A HUB) that connects everyone at the main site together.
OK now for traffic going INSIDE to OUT...
Start at the client go to a cisco 2600 (routed either internally or to the PIX) hits the pix and then the PIX authenticates the client back to a websense Server to allow or not to allow access (ON PORT's 80,21,and 8080)
Now the FUN Part... Both servers are DC's within the Active Directory "company-name". previously they only had 1 server and before it cratored it's ADDN was "comapnayname" with out the hyphen. They have rolled out well over 70 PC's nationwide that authenticate to "company-name" and the existing 60-100 with "companyname" THe ones with the "companyname" ADDN are mixed 98/XP Machines. THe ones with "company-name" are mainly XP.
The problem is, that users that try to access the internet with the filtering turned on, are prompted with a username and password when they are not in the "company-name" Domain. So the first part of the question is this. HOW CAN I MERGE THE 2 ADDN's TOGETHER WITHOUT TOUCHING EACH AND EVERY "companyname" PC?
Now on to the second part. and i am sure i know the answer to this.BUT since this whole network is a ROUTED network and doesn't use any other protocols, I am sure the latency to the servers and to the internet are coming from lost packets from the 10mb HUBS....The question on the second part is this, provided that the 10mb HUBs aren't the problem, is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?
And Lastly, does anyone know of a logon script that i can use to change a machines domain status and or workgroup membership? I know the 3rd question kinda contradicts the first but i have to get to the point where they can authenticate before i can use login scripts.
I know this is a bit to decode, so i am starting this one out with 500 points (hope i can go higher)..