Re: VPN Clients with PIX 7.0

g.leonard · ‎04-19-2006

I have just upgraded to PIX 7.0. The PIX is the VPN head-end to clients using the Cisco VPN client. Currently the users authenticate against a TACACS box but I have heard that with version 7.0 authentication can be done directly against Microsoft Active Directory. Can anybody give me some advice on how to configure this.

Many thanks

a.kiprawih · ‎04-23-2006

Hi,

PIX 7.0 support Microsoft Active Directory via its LDAP.

The config guide is available at the following:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a00804512a5.html#wp1072211

Rgds,

AK

g.leonard · ‎04-24-2006

Hey

Thanks for the reply. Cannot seem to get link to work. It won't accept my login credentials???

G

Fernando_Meza · ‎04-24-2006

The Cisco ASA command configuration guide states that support of LDAP server is only for authorisation and not authentication. Meaning that authentication has to be done first and somewhere else. If you want to authenticate your users against AD then the easiest way to do it is by:

1.- Install IAS and make it member of the domain. Refer to Microsoft Documentation for setting this up .. is very straight forward.

2.- Use the ASA/PIX as radius client of the IAS box

on

3.- On the vpn group point the authentication to AAA where your IAS is the radius server

t.notland · ‎04-23-2006

This feature is supported also with the PIX 6.3 and maybe also previous versions. Is done easy with Internet Authentication Service (IAS) on your windows server and radius.