11-13-2003 08:51 AM - edited 02-21-2020 12:52 PM
It's about a VPN/Remote Access using PIX 525 running Cisco PIX Firewall Version 6.3(3) & Cisco PIX Device Manager Version 3.0(1) and ACS 3. Could I setup a PIX as a NAS (AAA Client) and use ACS 3 for an AAA server so that Users can VPN into the PIX and it will authenticate them using Windows 2000 Active Directories user database. From there they will be able to Map drives, get email from Outlook, etc.....?
If so, how would I go about doing this? I wanted to use L2TP.
11-13-2003 08:23 PM
When you are using windows ad and acs there is a small problem with a large solution. ACS will only talk native to a windows nt domain. When you set up your active directory you had to choose between mixed and native. If you set ip up in mixed then you are almost home, more on this later. If you set it up in native mode, you are left with two disagreable choices. One set up another windows 200 server in mixed mode with a one way trust to the native active directory and install acs on that server. Or use ldap. If you hace a complicated schema then this is a nightmare.
Back to mixed mode. The other problem you will have is that you can't reliably use mschap with acs. The problem is that acs must tear down the has that is used to send the username and password and then resend it. That violates the encryption rules. so inorder to get the username and password you have to use pap. I know there went all the security.
Once you get all built it will work great, just like you built Rome. One other suggestion take a look at windows ias it is the built in radius server. You cannot run ias and acs on the same computer, or atleast you should not.
Take alook at all of the following;
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml
Hope this helps.
Tom Ross
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide