Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
0
Helpful
1
Replies

PIX 525 VPN to Windows 2000 Domain

guy.maxwell
Level 1
Level 1

‎11-13-2003 08:51 AM - edited ‎02-21-2020 12:52 PM

It's about a VPN/Remote Access using PIX 525 running Cisco PIX Firewall Version 6.3(3) & Cisco PIX Device Manager Version 3.0(1) and ACS 3. Could I setup a PIX as a NAS (AAA Client) and use ACS 3 for an AAA server so that Users can VPN into the PIX and it will authenticate them using Windows 2000 Active Directories user database. From there they will be able to Map drives, get email from Outlook, etc.....?

If so, how would I go about doing this? I wanted to use L2TP.

Labels:
0 Helpful
1 Reply 1

tcross3
Level 1
Level 1

‎11-13-2003 08:23 PM

When you are using windows ad and acs there is a small problem with a large solution. ACS will only talk native to a windows nt domain. When you set up your active directory you had to choose between mixed and native. If you set ip up in mixed then you are almost home, more on this later. If you set it up in native mode, you are left with two disagreable choices. One set up another windows 200 server in mixed mode with a one way trust to the native active directory and install acs on that server. Or use ldap. If you hace a complicated schema then this is a nightmare.

Back to mixed mode. The other problem you will have is that you can't reliably use mschap with acs. The problem is that acs must tear down the has that is used to send the username and password and then resend it. That violates the encryption rules. so inorder to get the username and password you have to use pap. I know there went all the security.

Once you get all built it will work great, just like you built Rome. One other suggestion take a look at windows ias it is the built in radius server. You cannot run ias and acs on the same computer, or atleast you should not.

Take alook at all of the following;

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007cd66.html

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_device_support_table09186a008018492f.html

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494d.html#42233

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html

Hope this helps.

Tom Ross

0 Helpful
Customers Also Viewed These Support Documents