It's about a VPN/Remote Access using PIX 525 running Cisco PIX Firewall Version 6.3(3) & Cisco PIX Device Manager Version 3.0(1) and ACS 3. Could I setup a PIX as a NAS (AAA Client) and use ACS 3 for an AAA server so that Users can VPN into the PIX and it will authenticate them using Windows 2000 Active Directories user database. From there they will be able to Map drives, get email from Outlook, etc.....?
If so, how would I go about doing this? I wanted to use L2TP.
When you are using windows ad and acs there is a small problem with a large solution. ACS will only talk native to a windows nt domain. When you set up your active directory you had to choose between mixed and native. If you set ip up in mixed then you are almost home, more on this later. If you set it up in native mode, you are left with two disagreable choices. One set up another windows 200 server in mixed mode with a one way trust to the native active directory and install acs on that server. Or use ldap. If you hace a complicated schema then this is a nightmare.
Back to mixed mode. The other problem you will have is that you can't reliably use mschap with acs. The problem is that acs must tear down the has that is used to send the username and password and then resend it. That violates the encryption rules. so inorder to get the username and password you have to use pap. I know there went all the security.
Once you get all built it will work great, just like you built Rome. One other suggestion take a look at windows ias it is the built in radius server. You cannot run ias and acs on the same computer, or atleast you should not.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :