Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN site-site with PIX AAA and logon on AD

Hi,

we have a site-to-site VPN with a Cisco Router and a PIX. On a PIX I've implemented AAA model for authenticating traffic through the PIX to end devices for services like FTP, HTTP, Telnet, with an external RADIUS Server (IAS MS)

Is it possible to authenticate the user when he tries to connect to a server for browsing the net resources and associate him the batch-file or the URL of this batch file defined on Active Directory via RADIUS ???

For me no ... but I want to be sure...maybe we can start Authentication via RADIUS when a user start a batch on the remote PC, trying to map network drives when the traffic reach the PIX???

Any ideas or confirmation are very appreciated???

THANKS...a lot

Omar

2 REPLIES
Silver

Re: VPN site-site with PIX AAA and logon on AD

You probably could, but do you *really* want to?

Let me put on my 2xMCSE hat:

A lot of windows networking stuff occurs behind the scenes. Remember, all NT based OS's on the domain have machine accounts in the domain, just like your users do. system policies, authentication, etc all occur behind the scenes. Trying to force "user" level actions to auth, and not systems would be near miraculous - after all, users and machine accounts are not much different at all - same construct, just different default privileges.

SO, I would recommend not mucking with things that could break your windows networking. Instead, google for the NSA guides to securing windows, and think about cranking up your auditing and logging policies on your actual windows machines.

New Member

Re: VPN site-site with PIX AAA and logon on AD

Hi,

Thanks for info...to precise the remote user are externals and must use the file server (mapping the shared folders) dedicated only for their operations.

It sound that the best solution would be leaving the authentication on the Domain created on this file System...instead of authenticate the user on the PIX, when the customer PC try to access the shared folder using TCP 139...

91
Views
0
Helpful
2
Replies
CreatePlease login to create content