05-06-2002 07:32 AM - edited 02-21-2020 09:59 AM
Hello,
I wanted to know is there way to authenticate VPN users without the ACS,such as on a PIX box or with the help of microsoft server.
Thanks,
Radhika
05-06-2002 09:14 AM
There are a lot of ways to authenticate a VPN user even without ACS. You can configure your PIX firewall as VPN gateway which can authenticate a VPN user locally or you can implement XAUTH using RADIUS. The radius server can be any freely available compliant unix server or you you can use your windows domain controller for XAUTh using "Active Directory" as radius server. Again you can use one factor authentication or two factor authentication. The basic two factor authentication you can do with a PIX is that you can use the static IP address of the VPN client in PIX VPN config as the second factor (i.e. what you have) along with radius password (i.e. what you know). The limitation with this approach is that the VPN connectivity can be granted only from a previously configured IP address.
Otherwise you can implement a challenge response method as two factor authentication where you can use the tokens (software or hardware) as "what you have" to generate one time passwords, again these tokens can be configured as "response only mode" or "cahllenge resonse mode".
I have tested and implemented above mentioned methods successfully. Again if you already have a radius server working from your old installation and you don't want the headache of scrapping all that user database info and configuring it again on the new radius servers there are middleware radius" solutions available which can save your previous investment and are a lot cheaper (if you don't have thousands of VPN users).
05-06-2002 09:35 AM
The easiest way would be to run Radius on your Microsoft Server. You could then utilize the userlist in your NT domain since the Microsoft Radius authenticates against the NT domain.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide