Re: PIX 6.3 Easy VPN users, authentication thru Active Directory

kev_jacob · ‎06-26-2006

Hello,

Can remote VPN clients be authenticated through Windows Active Directory server on a PIX 515E v6.3.

If so what is the command to do this. If it is not possible on 6.3, is this option available with 7.0?

Kevin.

gfullage · ‎06-26-2006

In 6.x you'd have to front-end your AD server with a Radius or TACACS server, as this is all the PIX supports.

Version 7.x introduced native authentication to AD (either NT or LDAP), see here for details:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/vpngrp.htm#wp1044654

Note that the config will change a lot between v6 and v7, although if you upgrade the conversion will be taken care of for you. Basically you'll end up with a tunnel-group for your remote-access (RA) users, and you configure the authentication group under there as such:

tunnel-group type ipsec-ra

tunnel-group general-attributes

authentication-server-group adsvr

tunnel-group ipsec-attributes

pre-shared key

aaa-server adsvr protocol nt

aaa-server adsvr host 10.1.1.1

nt-auth-domain-controller

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/cmd_ref/index.htm for the full command reference.

kev_jacob · ‎06-27-2006

Thank you very much gfullage

PIX 6.3 Easy VPN users, authentication thru Active Directory?