We are doing some research for one of our customers.
They would like to give remote users access via a VPN gateway with X.509 certificates (on smartcards) as authentication method.
They recently purchased the Cisco PIX 515 for this.
They are also looking for Single Sign-On. So after authenticating on the PIX the user should be authenticated on a Windows 2000 domain as well, without entering a userid or presenting a certificate again.
What do we need to achieve this? Is the Cisco Secure ACS capable of doing this or can the PIX talk to W2K domains directly? And how does this work? Is there a translation of the DN from the certificate to a known userid in Active Directory? Or will the certificate be forwarded by the PIX to the ACS and directly presented to W2K? And what about NTLM and MS-Kerberos support?
Thanks in advance,