DFS namespace over RADIUS authentication through a Cisco ASA 5510

Posted on 2011-10-11
Last Modified: 2012-05-12
I have the following scenario:

(1) Cisco ASA 5510 configured to use RADIUS auth on the VPN settings, and its pointed to a Windows 2003 Enterprise Domain Controller, which handles AD services.

We set the Dial-in setting on the user account properties in ADUC to "allow" -- this accomplishes the VPN allow/deny requirement.

what doesnt work over VPN, is the DFS namespace, so shares can only be mapped with the NetBIOS UNC syntax.  which isnt a big deal, but an annoyance.

The DFS namespace server, by the way, is a Windows 2008 Standard R2 box.

ideas? suggestions?
Question by:kapshure
    LVL 13

    Expert Comment

    by:Felix Leven
    Are you sure the nameresolution of the connected clients is not a problem (internal/external DNS-Server used). All namespaces and servers needed to access the dfs share can be resolved from the client ?


    Author Comment


    i'm not certain i follow the first sentence? can you elaborate some more? as for the second sentence, if you mean the remote client over VPN, then the share can only be accessed via the UNC syntax. Internally the DFS namespace works, over VPN, no.

    what am i missing?
    LVL 13

    Expert Comment

    by:Felix Leven
    When the VPN client ist connected, can you ping on this VPN connected client the DNS-Names of the AD server and the DFS-Server  ?
    LVL 13

    Accepted Solution

    If NetbiosBios works, LDAP open for VPN-Users ?

    Distributed File System
    The Distributed File System (DFS) integrates disparate file shares that are located across a local area network (LAN) or wide area network (WAN) into a single logical namespace. The DFS service is required for Active Directory domain controllers to advertise the SYSVOL shared folder.

    System service name: Dfs

    Application protocol/Protocol/Ports
    NetBIOS Datagram Service/UDP/138
    NetBIOS Session Service/TCP/139

    LDAP Server/TCP/389
    LDAP Server/UDP/389



    Randomly allocated high TCP ports¹


    random port number between 1024 - 65535
    random port number between 49152 - 65535²

    More Port documentation:

    Author Comment


    I'm pretty sure we have only the most basic ports open on the ASA. That I need to check

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Synchronize a new Active Directory domain with an existing Office 365 tenant
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now