Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 525 VPN to Windows 2000 Domain

It's about a VPN/Remote Access using PIX 525 running Cisco PIX Firewall Version 6.3(3) & Cisco PIX Device Manager Version 3.0(1) and ACS 3. Could I setup a PIX as a NAS (AAA Client) and use ACS 3 for an AAA server so that Users can VPN into the PIX and it will authenticate them using Windows 2000 Active Directories user database. From there they will be able to Map drives, get email from Outlook, etc.....?

If so, how would I go about doing this? I wanted to use L2TP.

New Member

Re: PIX 525 VPN to Windows 2000 Domain

When you are using windows ad and acs there is a small problem with a large solution. ACS will only talk native to a windows nt domain. When you set up your active directory you had to choose between mixed and native. If you set ip up in mixed then you are almost home, more on this later. If you set it up in native mode, you are left with two disagreable choices. One set up another windows 200 server in mixed mode with a one way trust to the native active directory and install acs on that server. Or use ldap. If you hace a complicated schema then this is a nightmare.

Back to mixed mode. The other problem you will have is that you can't reliably use mschap with acs. The problem is that acs must tear down the has that is used to send the username and password and then resend it. That violates the encryption rules. so inorder to get the username and password you have to use pap. I know there went all the security.

Once you get all built it will work great, just like you built Rome. One other suggestion take a look at windows ias it is the built in radius server. You cannot run ias and acs on the same computer, or atleast you should not.

Take alook at all of the following;

Hope this helps.

Tom Ross

CreatePlease login to create content