We are doing some research for one of our customers.
They would like to give remote users access via a VPN gateway with X.509 certificates (on smartcards) as authentication method.
They recently purchased the Cisco PIX 515 for this.
They are also looking for Single Sign-On. So after authenticating on the PIX the user should be authenticated on a Windows 2000 domain as well, without entering a userid or presenting a certificate again.
What do we need to achieve this? Is the Cisco Secure ACS capable of doing this or can the PIX talk to W2K domains directly? And how does this work? Is there a translation of the DN from the certificate to a known userid in Active Directory? Or will the certificate be forwarded by the PIX to the ACS and directly presented to W2K? And what about NTLM and MS-Kerberos support?
You'll need some kind of Radius or TACACS+ server to send the authentication requests to the Domain... SecureACS can do both of these. Windows 2000 has a built in radius server that you could look at. I don't know enough about security to answer your NTLM and Kerberos question... Secure ACS basically translates your pix authentication requests into NT Domain authentication requests and sends them to the domain controller or the backup domain controller.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :