Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3005 authenticating to a Windows 2000 AD Forest

We recently migrated our VPN from a PIX based VPN to the VPN 3005 concentrator running software version 4.0. Our clients are all running version 4.0 of the client. Under our PIX setup, when users authenticated they were prompted for a username and password. Now that we are using the VPN 3005 Concentrator they are prompted for a username,password, and windows domain. I would really like to get back to just having the username and password prompt (no domain). The group is configured for "Radius with expiry" authentication which authenticates users against a Windows 2000 Internet Authentication Service Server (Microsoft RADIUS server).

Does anybody know if we can get back to the previous behavior using the currently hardware?

Thanks in advance.

Jason

2 REPLIES
Cisco Employee

Re: VPN 3005 authenticating to a Windows 2000 AD Forest

The client will prompt you for a domain, but in reality you don't need to enter in anything here, since this information isn't actually used anywhere. In fact I thought we had removed this in 3.6 concentrator code, so I'm a little surprised you're still seeing it. We took it out cause it has never done anything and generally caused confusion.

The only way you can authenticate a user to a specific domain is to enter their username in as domain\username. As I said, don't worry about entering anything in this domain field, it doesn't do anything for you.

New Member

Re: VPN 3005 authenticating to a Windows 2000 AD Forest

Thanks for the reply. If the domain is entered in the box the authorization request actually passes "domain/user" to the RADIUS server. If no domain is entered, only "user" is passed to the RADIUS server. So it definitely looks like there is still some code on the client to deal with this.

I'm with you on the confusion part. That's the reason I'd like to see if there's a way to get rid of the domain prompt. I'd like to make it as simple and easy as possible for the end users.

Jason

98
Views
0
Helpful
2
Replies