Solved

Does a PIX with RADIUS to Win2003 handle password renewal?

Posted on 2006-11-30
7
441 Views
Last Modified: 2013-11-16
Hello,

I have a PIX 515e that users connect to via MS PPTP VPN client. Currently, the users authenticate against a list kept on the PIX box. I want to set up RADIUS authentication to a Win2003 AD network. Before I do this, I am curious about password renewal.

Our windows network requires a change of password at regular intervals. Some of the users will be away from the office when their password is due for renewal. How does the PIX box handle this? Will the users be asked to change their passwords as they connect to the VPN (the PIX box)?. Or do they have to log onto a Windows server specifically to do this?

Could someone who's seen this explain to me how it will work?
Thanks in advance!
0
Comment
Question by:dreadman2k
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 124 total points
ID: 18053205
Personally I can't believe it would handle it at all (unless someone has actually seen it work).  Here's why.  The PIX relays the auth parameters to the MS IAS (RADIUS) server which inturn then relays that to the AD for a yea/nea answer to approve.

So if the password is expired, the RADIUS server will most likely log the fact that it is expired, but will relay an answer of denied access.

Best thing I can think of is create a new PPTP group with the RADIUS auth.  Then set an acct to expire.  Then try it and confirm.  I just refuse to believe it would work as too many different technologies and protocols are being relayed thru for the authentication answer.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 63 total points
ID: 18054808
It never works. The only way I made the policy is to have them logon to their office machines through remote desktop and then change the password.

Or else, you could get a coding guy and create  a page in your intranet for changing password. That works well.

Cheers,
Rajesh
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 124 total points
ID: 18054955
I realize its not the best "fix", but can you just set the notification for password expiration to come sooner so that they know that if they are going to be gone, they can change it before they leave.  I assume by "regular intervals" its something like 6 months or in that neighborhood.  Could you set the reminder to start at 21 days prior to expiration maybe.

don't know just thinking out load
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 63 total points
ID: 18062667
We had a lot of problems with this and eventually moved the radius to a Cisco ACS box. it wasn't that M$ didn't work, it was more that it was never consistent. Finally went for hard tokens and the ACS server, works brilliantly
0
 
LVL 2

Author Comment

by:dreadman2k
ID: 18065673
Thanks, guys!

THat was the sort of info I was looking for. It seems I was right to be concerned about the password renewal as a source of trouble.
Now that you have clued me in I can look at options. I would prefer hard tokens & such, but may be able to get it going with RADIUS & a web page for password renewal.

Again, thank you for the useful info!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18066662
Thanks :)
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18066702
ThanQ.

Cheers,
Rajesh
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VIRL IP adress 3 69
Line cards, Supervisor, Control plane 7 35
Cisco ASA IOS 9.x - no route to host for Internet 4 75
Guest Wi-Fi Time out 3 20
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question