Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN site-site with PIX AAA and logon on AD


we have a site-to-site VPN with a Cisco Router and a PIX. On a PIX I've implemented AAA model for authenticating traffic through the PIX to end devices for services like FTP, HTTP, Telnet, with an external RADIUS Server (IAS MS)

Is it possible to authenticate the user when he tries to connect to a server for browsing the net resources and associate him the batch-file or the URL of this batch file defined on Active Directory via RADIUS ???

For me no ... but I want to be sure...maybe we can start Authentication via RADIUS when a user start a batch on the remote PC, trying to map network drives when the traffic reach the PIX???

Any ideas or confirmation are very appreciated???

THANKS...a lot



Re: VPN site-site with PIX AAA and logon on AD

You probably could, but do you *really* want to?

Let me put on my 2xMCSE hat:

A lot of windows networking stuff occurs behind the scenes. Remember, all NT based OS's on the domain have machine accounts in the domain, just like your users do. system policies, authentication, etc all occur behind the scenes. Trying to force "user" level actions to auth, and not systems would be near miraculous - after all, users and machine accounts are not much different at all - same construct, just different default privileges.

SO, I would recommend not mucking with things that could break your windows networking. Instead, google for the NSA guides to securing windows, and think about cranking up your auditing and logging policies on your actual windows machines.

New Member

Re: VPN site-site with PIX AAA and logon on AD


Thanks for precise the remote user are externals and must use the file server (mapping the shared folders) dedicated only for their operations.

It sound that the best solution would be leaving the authentication on the Domain created on this file System...instead of authenticate the user on the PIX, when the customer PC try to access the shared folder using TCP 139...

CreatePlease login to create content