Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX and ACS and W2K domain?


We are doing some research for one of our customers.

They would like to give remote users access via a VPN gateway with X.509 certificates (on smartcards) as authentication method.

They recently purchased the Cisco PIX 515 for this.

They are also looking for Single Sign-On. So after authenticating on the PIX the user should be authenticated on a Windows 2000 domain as well, without entering a userid or presenting a certificate again.

What do we need to achieve this? Is the Cisco Secure ACS capable of doing this or can the PIX talk to W2K domains directly? And how does this work? Is there a translation of the DN from the certificate to a known userid in Active Directory? Or will the certificate be forwarded by the PIX to the ACS and directly presented to W2K? And what about NTLM and MS-Kerberos support?

Thanks in advance,


New Member

Re: PIX and ACS and W2K domain?

You'll need some kind of Radius or TACACS+ server to send the authentication requests to the Domain... SecureACS can do both of these. Windows 2000 has a built in radius server that you could look at. I don't know enough about security to answer your NTLM and Kerberos question... Secure ACS basically translates your pix authentication requests into NT Domain authentication requests and sends them to the domain controller or the backup domain controller.

CreatePlease to create content