Can cisco PIX 515 use Windows 2000 server running IAS as their authentication server ?? Well I am trying to get a VPN hardware that can access windows 2000 ad for it users and password. Can somebody suggest what cisco hardware to use, and the type of security is the best for around 50-100 VPN users ? I am also looking for something that is easy to deploy.
Yes, you can use Win2000 IAS as the radius server for PIX515 to authenticate your VPN users. In IAS you can configure a vpn group and make the vpn users as the member of that group so that even the users who belong to your win domain but dosn't belong to vpn group will not be able to login to VPN. To make your VPN more secure you can use two factor authentication so that the vpn users can use a token to generate a "one time password/response" to the challenge received from the vpn system.
So in order to login to VPN the user will provide their windows password which will be passed on to a middle tier who will pass it to IAS server and if it matches then the middle tier will send a challenge to the user and will be expecting a CORRECT response, the user will generate a "on time password/response" with the help of a token and inputting the challenge into the token. When the middle tier receives the correect response it tells the PIX that the radius authentication is successfull.
For the PIX the the middle tier will be the radius server which in turn uses IAS in the background to verify the initial user windows password. You can look at following middleware/token products:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...