Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
5
Replies

Can this be done?

kmontgomery
Level 1
Level 1

‎02-12-2009 06:16 AM

We are using outdated 3005 VPN Concentrators, but we have been tasked with making a project work... I can't for the life of me figure out why this doesn't work... any ideas are appreciated...

We use the Cisco VPN Client to connect to the 3005 VPN Concentrator and then browse to local resources. The Windows authentication is not being passed for those resources, and you have to log in twice to a file share, if you can even get to it. We also want to browse an intranet page which links to local resources (file shares) but it can't find the server...

I need to know how to pass host names, dns entries and windows authentication through the client so that people can do these functions... can someone point me in the right direction? Soon?

Thanks, Ken

Labels:
0 Helpful
5 Replies 5

Ivan Martinon
Level 7
Level 7

‎02-12-2009 09:59 AM

Ken,

The fact that your client needs to log in twice every time you need to get into a file share server has to do with the fact that your client is not authenticated to your domain, this is something that is not configurable on the VPN 3000. However the vpn client has a feature called "Start before logon" which allows the vpn client to connect before the windows login screen comes causing the client to authenticate to the vpn and then allowing it to authenticate to the domain by entering the windows credentials.

As for the intranet page, can you ping it? if you are trying to access it via name make sure that your vpn concentrator has a dns entry defined on the group for this client.

0 Helpful

kmontgomery
Level 1
Level 1
In response to Ivan Martinon

‎02-12-2009 10:16 AM

I thought the same thing on the domain login, but the vpn concentrator is supposed to pass windows credentials upon connection, isn't it? Since we have NT Logon enabled?

Start before logon won't work, this is for non-company owned equipment.

The Intranet page is not pingable as the server hostname won't immediately resolve, but does resolve on the second try... I read in one of the manuals that you can populate the host file with a hostname, but can't find any way to do it through the concentrator.

As towards the dns entry defined on the group, I don't follow. I have DNS setup for the group and the base group, but what do you mean by an 'entry'?

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to kmontgomery

‎02-12-2009 10:19 AM

NO, the concentrator does not pass windows credentials to the domain controller or to any server, the user authentication performed is only for vpn authentication.

The host file will never be updated by the concentrator, the only modification the vpn concentrator does to the client is for the ip configuration of the virtual adapter and by entry I meant the DNS ip address defined on the Group.

Your only option is Start before logon or have them to log in twice.

0 Helpful

kmontgomery
Level 1
Level 1
In response to Ivan Martinon

‎02-12-2009 10:30 AM

Ok, thanks. Not what I wanted but hey, it is an outdated box.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to kmontgomery

‎02-12-2009 10:33 AM

Yeah... saddly I think none of the cisco box has the option of passing along the domain login to the domain, I am not sure if the ms client supports it though, I think that if you configure a pptp or l2tp over ipsec client you will be able to achieve it, just my 2 cents

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents