Pix VPN Client how to authenticate with Active Directory

Answered Question
May 5th, 2010

Hi All, I just set up my first VPN Client on a Cisco Pix device. Everything works great as far as hitting the correct subnet's and logging on. However, I would like to see how I can have my remote users login with there active directory accounts. As of right now I'm using the local login for the pix for testing purposes. This seems easy but, I'm missing something

We are using :

Cisco Pix-515E version 6.3(3)

Thanks,

Dan

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

Unfortunately PIX version 6.3.3 does not support authentication to Active Directory. PIX v6.3.3 only supports authentication to PIX local database, radius and tacacs server.

If you would like to authenticate to your active directory, it is supported from PIX v7.x onwards.

Here is the different types of authentication supported from PIX v7.x onwards for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/aaa.html

Hope that answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Wed, 05/05/2010 - 15:55

Dan,

If you're not filtering any traffic through the VPN, then the remote computers should be able to authenticate against the directory.

The remote computers should be member of the domain and included in the active directory on the main site, have you verified this?

From the remote client, can you PING the devices on the headend?

If connectivity works, but the problem is that the machines cannot authenticate against AD, make sure the computers are added to the domain correctly and there are no filters in the tunnel.

Federico.

dan hale Wed, 05/05/2010 - 16:20

Hi, the remote computer I'm trying to connect from is not a member of that domain. Basically what I'm trying to accomplish is users have their home (personal) computers that are not attached to the domain. What im trying to avoid is creating one remote account locally on the PIX for 20 users or creating 20 usernames on the pix. I thought it would be easier for staff if they could use there Active Directory usernames and passwords.

The Active Directory Subnet is allowed in the VPN tunnel and I can ping the AD server when I use and one of the local username and passwords on the pix.

thanks for you help,

Dan

Correct Answer
Jennifer Halim Wed, 05/05/2010 - 16:37

Unfortunately PIX version 6.3.3 does not support authentication to Active Directory. PIX v6.3.3 only supports authentication to PIX local database, radius and tacacs server.

If you would like to authenticate to your active directory, it is supported from PIX v7.x onwards.

Here is the different types of authentication supported from PIX v7.x onwards for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/aaa.html

Hope that answers your question.

Actions

This Discussion