• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 493
  • Last Modified:

Does a PIX with RADIUS to Win2003 handle password renewal?

Hello,

I have a PIX 515e that users connect to via MS PPTP VPN client. Currently, the users authenticate against a list kept on the PIX box. I want to set up RADIUS authentication to a Win2003 AD network. Before I do this, I am curious about password renewal.

Our windows network requires a change of password at regular intervals. Some of the users will be away from the office when their password is due for renewal. How does the PIX box handle this? Will the users be asked to change their passwords as they connect to the VPN (the PIX box)?. Or do they have to log onto a Windows server specifically to do this?

Could someone who's seen this explain to me how it will work?
Thanks in advance!
0
dreadman2k
Asked:
dreadman2k
  • 2
  • 2
  • 2
  • +1
4 Solutions
 
Cyclops3590Commented:
Personally I can't believe it would handle it at all (unless someone has actually seen it work).  Here's why.  The PIX relays the auth parameters to the MS IAS (RADIUS) server which inturn then relays that to the AD for a yea/nea answer to approve.

So if the password is expired, the RADIUS server will most likely log the fact that it is expired, but will relay an answer of denied access.

Best thing I can think of is create a new PPTP group with the RADIUS auth.  Then set an acct to expire.  Then try it and confirm.  I just refuse to believe it would work as too many different technologies and protocols are being relayed thru for the authentication answer.
0
 
rsivanandanCommented:
It never works. The only way I made the policy is to have them logon to their office machines through remote desktop and then change the password.

Or else, you could get a coding guy and create  a page in your intranet for changing password. That works well.

Cheers,
Rajesh
0
 
Cyclops3590Commented:
I realize its not the best "fix", but can you just set the notification for password expiration to come sooner so that they know that if they are going to be gone, they can change it before they leave.  I assume by "regular intervals" its something like 6 months or in that neighborhood.  Could you set the reminder to start at 21 days prior to expiration maybe.

don't know just thinking out load
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
Keith AlabasterCommented:
We had a lot of problems with this and eventually moved the radius to a Cisco ACS box. it wasn't that M$ didn't work, it was more that it was never consistent. Finally went for hard tokens and the ACS server, works brilliantly
0
 
dreadman2kAuthor Commented:
Thanks, guys!

THat was the sort of info I was looking for. It seems I was right to be concerned about the password renewal as a source of trouble.
Now that you have clued me in I can look at options. I would prefer hard tokens & such, but may be able to get it going with RADIUS & a web page for password renewal.

Again, thank you for the useful info!
0
 
Keith AlabasterCommented:
Thanks :)
0
 
rsivanandanCommented:
ThanQ.

Cheers,
Rajesh
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now