Has anybody out there successfully configured W2K IAS as RADIUS for VPN client3.5 with PIX520 as vpn gateway? We have a W2K/NT network and are looking for single sign-on solution. I have followed the cisco doc'Configuring Cisco PIX6.X and VPN Client3.5 for MS W2K IAS RADIUS Authentication', but couldn't get it to work. It seems the IAS is not talking to Domain controller, IAS has been registered in AD. Thanks in advance for your help.
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
It took quite a bit of tinkering, but I did get it to work. My NAS is a Cisco VPN Concentrator 3015. The nice thing about it is that it gives you a gui where you can test against your radius server with an account and password. I had to put IAS on a domain controller... win2k with AD. Couple of pitfalls to watch out for. First is the services file in the %winsysdir%\system32\drivers\etc. you'll find entries for radius and radius accounting... ports 1812 and 1813. That's what I used for IAS when you right click and go to properties in the IAS MMC. On the NAS side, Pix 520 for you, set it to go to port 1812 for radius and 1813 for radius accounting. The default is ports 1645 and 1646 I believe. Also, after you have this set up, you'll need to go into "Active Directory Users and Computers" and set all of your users properties on the "Dial in" tab to "Deny Access". Allow access for the profiles you want to allow to get in over vpn. There is an IAS log called simply iaslog on the DC that you can look at to get some more information. You'll need to adjust the pix I imagine to allow the radius traffic to go to that server. This is an attractive solution since most everyone has win2k and ias is free. Funk's Steel Belted Radius is a nice software but very expensive and overkill for a shop that wants to allow remote workers and not be an ISP. O yes, make absolutely double, triple sure that your preshared key between the Pix and IAS are EXACTLY the same.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...