Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

USE MS IAS AS RADIUS

Has anybody out there successfully configured W2K IAS as RADIUS for VPN client3.5 with PIX520 as vpn gateway? We have a W2K/NT network and are looking for single sign-on solution. I have followed the cisco doc'Configuring Cisco PIX6.X and VPN Client3.5 for MS W2K IAS RADIUS Authentication', but couldn't get it to work. It seems the IAS is not talking to Domain controller, IAS has been registered in AD. Thanks in advance for your help.

Ryan

2 REPLIES

Re: USE MS IAS AS RADIUS

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

New Member

Re: USE MS IAS AS RADIUS

It took quite a bit of tinkering, but I did get it to work. My NAS is a Cisco VPN Concentrator 3015. The nice thing about it is that it gives you a gui where you can test against your radius server with an account and password. I had to put IAS on a domain controller... win2k with AD. Couple of pitfalls to watch out for. First is the services file in the %winsysdir%\system32\drivers\etc. you'll find entries for radius and radius accounting... ports 1812 and 1813. That's what I used for IAS when you right click and go to properties in the IAS MMC. On the NAS side, Pix 520 for you, set it to go to port 1812 for radius and 1813 for radius accounting. The default is ports 1645 and 1646 I believe. Also, after you have this set up, you'll need to go into "Active Directory Users and Computers" and set all of your users properties on the "Dial in" tab to "Deny Access". Allow access for the profiles you want to allow to get in over vpn. There is an IAS log called simply iaslog on the DC that you can look at to get some more information. You'll need to adjust the pix I imagine to allow the radius traffic to go to that server. This is an attractive solution since most everyone has win2k and ias is free. Funk's Steel Belted Radius is a nice software but very expensive and overkill for a shop that wants to allow remote workers and not be an ISP. O yes, make absolutely double, triple sure that your preshared key between the Pix and IAS are EXACTLY the same.

674
Views
0
Helpful
2
Replies