Active Directory Authentication Using a RADIUS server

Unanswered Question
Feb 6th, 2009

I have a Cisco ASA 5505 device deployed at a client office. I am trying to set it up so that the VPN connections are authenticated to Active Directory. I have successfully setup IAS and the users can connect using the Cisco VPN client, but when they try to access file shares or Exchange server after connecting, they are prompted for domain username and password. Is there any way to configure it so that when connected to the ASA, they are authenticated to the domain as well?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 02/06/2009 - 14:37

This is expected behavior, and it is caused since the authentication performed by the ASA is only performing user authenticaiton and not domain login, to achieve domain login your users will have to enable "start before login" on their vpn client. What this will do is that after the user turns on the computer the vpn client then is launched and will establish a vpn connection, then they will enter the normal username and password, after the vpn is connected then they will be login into their workstation with the windows login, in that step domain login occurs

Ivan Martinon Fri, 02/06/2009 - 14:37

forgot to specify, this feature is only available for WindowsXP or lower OS, windows VISTA does not support this feature.

westernmotor Fri, 02/06/2009 - 20:06

Ya, the problem with that is the PC is not a member of the domain. It's like this because the user is a remote employee who is rarely in the office and wants to work off of a local profile. We used to have him set up with the Microsoft VPN client which would authenticate him to the domain even if his PC didn't have a computer account in Active Directory. Since switching to the VPN client, he is no longer able to access anything once connected, without supplying AD credentials. Will this suggested remody work even if the PC has not been added to the domain?

Ivan Martinon Mon, 02/09/2009 - 08:10

There is no other way around this, VPN Client does not register users into domains once they log in, the only purpose of the Xauth, user authentication is to give one extra layer of security

vincent-n Wed, 09/30/2009 - 04:37

I think you're right about not adding the PC to the domain. I normally build the PC at the office, got the user to actually log on inside the internal network so that the account is cached onto the PC. Then take the PC out and VPN in. Start before logon would only work once the PC is on the domain and the user account is cached on the computer.


This Discussion