Solved

Does a PIX with RADIUS to Win2003 handle password renewal?

Posted on 2006-11-30
7
415 Views
Last Modified: 2013-11-16
Hello,

I have a PIX 515e that users connect to via MS PPTP VPN client. Currently, the users authenticate against a list kept on the PIX box. I want to set up RADIUS authentication to a Win2003 AD network. Before I do this, I am curious about password renewal.

Our windows network requires a change of password at regular intervals. Some of the users will be away from the office when their password is due for renewal. How does the PIX box handle this? Will the users be asked to change their passwords as they connect to the VPN (the PIX box)?. Or do they have to log onto a Windows server specifically to do this?

Could someone who's seen this explain to me how it will work?
Thanks in advance!
0
Comment
Question by:dreadman2k
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 124 total points
Comment Utility
Personally I can't believe it would handle it at all (unless someone has actually seen it work).  Here's why.  The PIX relays the auth parameters to the MS IAS (RADIUS) server which inturn then relays that to the AD for a yea/nea answer to approve.

So if the password is expired, the RADIUS server will most likely log the fact that it is expired, but will relay an answer of denied access.

Best thing I can think of is create a new PPTP group with the RADIUS auth.  Then set an acct to expire.  Then try it and confirm.  I just refuse to believe it would work as too many different technologies and protocols are being relayed thru for the authentication answer.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 63 total points
Comment Utility
It never works. The only way I made the policy is to have them logon to their office machines through remote desktop and then change the password.

Or else, you could get a coding guy and create  a page in your intranet for changing password. That works well.

Cheers,
Rajesh
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 124 total points
Comment Utility
I realize its not the best "fix", but can you just set the notification for password expiration to come sooner so that they know that if they are going to be gone, they can change it before they leave.  I assume by "regular intervals" its something like 6 months or in that neighborhood.  Could you set the reminder to start at 21 days prior to expiration maybe.

don't know just thinking out load
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 63 total points
Comment Utility
We had a lot of problems with this and eventually moved the radius to a Cisco ACS box. it wasn't that M$ didn't work, it was more that it was never consistent. Finally went for hard tokens and the ACS server, works brilliantly
0
 
LVL 2

Author Comment

by:dreadman2k
Comment Utility
Thanks, guys!

THat was the sort of info I was looking for. It seems I was right to be concerned about the password renewal as a source of trouble.
Now that you have clued me in I can look at options. I would prefer hard tokens & such, but may be able to get it going with RADIUS & a web page for password renewal.

Again, thank you for the useful info!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Thanks :)
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
ThanQ.

Cheers,
Rajesh
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now