Forgive me if this has been covered, I looked back a few months and wasn't able to find anything on it. I set up a PIX tonight and at the end the customer asked me to have it authenticate VPN users against his Active Directory database, so I added in the aaa-server commands and the necessary client authentication commands, but failed to ever succesfully authenticate any remote users through IAS. I have set this up many times using Windows 2000 IAS without issue, but apparently there is a big difference in how it is implemented in 2003 OR...I'm just totally overlooking something obvious (we all miss something occasionall :) Has anyone se this up succesfully using IAS 2003? Any ideas or docs, pointers you might have?
I have been considering moving on to the 2003 too but was told that it is not fully tested. I guess it would be better to wait for some time. However, if you are keen on figuring out what might be wrong, without changing anything on the client, bring the 2000 server back online and see if authentication works. That would atleast help you figure out if the problem is with the client configuration or if the server is not supported at all.
Hey, I did get it figured out. Basically, you can't authenticate PPTP users agains Microsoft IAS (any version) because it doesn't support a specific microsoft propreitary attribute that the PIX is looking for in the reply(figures). However, if your using IPSEC instead of PPTP, the authentication works fine even against Windows 2003 IAS. Just have to change the default policy order number and change the authentication methad to PAP/SPAP.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...