Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX and ACS and W2K domain?

Unanswered Question
Feb 13th, 2002
User Badges:


We are doing some research for one of our customers.

They would like to give remote users access via a VPN gateway with X.509 certificates (on smartcards) as authentication method.

They recently purchased the Cisco PIX 515 for this.

They are also looking for Single Sign-On. So after authenticating on the PIX the user should be authenticated on a Windows 2000 domain as well, without entering a userid or presenting a certificate again.

What do we need to achieve this? Is the Cisco Secure ACS capable of doing this or can the PIX talk to W2K domains directly? And how does this work? Is there a translation of the DN from the certificate to a known userid in Active Directory? Or will the certificate be forwarded by the PIX to the ACS and directly presented to W2K? And what about NTLM and MS-Kerberos support?

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
justler Thu, 02/21/2002 - 12:55
User Badges:

You'll need some kind of Radius or TACACS+ server to send the authentication requests to the Domain... SecureACS can do both of these. Windows 2000 has a built in radius server that you could look at. I don't know enough about security to answer your NTLM and Kerberos question... Secure ACS basically translates your pix authentication requests into NT Domain authentication requests and sends them to the domain controller or the backup domain controller.


This Discussion