Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Windows 2003 Server to Cisco PIX authentication

0 views
Skip to first unread message

Mark

unread,
Mar 27, 2006, 9:12:55 AM3/27/06
to
Hello,

I would like to setup my Windows 2003 Server environment where I have one
single point of management for my VPN users so that when I disable their
Windows 2003 account it also disables their Cisco VPN connection.

Can anyone provide information on how to setup Windows 2003 Server so that
it can authenticate to a Cisco PIX firewall?

Thanks for any help or direction you can point me in :-),.

Mark


Mesiatowsky@discussions.microsoft.com Shawn Mesiatowsky

unread,
Mar 28, 2006, 12:18:02 PM3/28/06
to
First you have to go into IAS and setup a new RADIUS client. Just type
anything (like cisco) for the friendly name, type in the IP of the pix box,
and type in a shared secret (which will be used to configure the pix box as
well). You can also setup remote access policies to see who can connect, etc.
but this is not a requirment. Next is to setup the pix to use a radius server
for authentication. Now you need to configuyre the pix box as follows

!specify address pool for VPN clients
ip local pool VPNPool 192.168.0.209-192.168.0.214
vpngroup unlimitedvpn address-pool VPNPool

!setup split dns so internal dns resolution still works in conjuction with
the internet
vpngroup unlimitedvpn dns-server 192.168.0.2
vpngroup unlimitedvpn split-tunnel VPN_splitTunnelAcl
vpngroup unlimitedvpn split-dns mydomain.com

vpngroup unlimitedvpn idle-time 1800

!specify passwoprd for vpn group
vpngroup unlimitedvpn password vpnpassword

!setup radius authentication for vpn clients
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius

!specify windows 2003 IAS server IP address and substitute sharedsecret with
the actual shared secret setup in IAS
aaa-server partnerauth (inside) host 192.168.0.2 sharedsecret timeout 10


Now you just need to setup the cisco VPN client software on clients. you
still need to supply VPN username and password info setup in the pix box, but
then it will ask you for a second set of credentials which it will
authenticate against the RADIUS server. One side note is how to setup who can
log into the VPN. You can either specify on each user in AD users properties,
and check of the "allow access" check box in the dial-in page, or you can
specify to use remote access policies, and setup a policy in IAS. This should
get you started in the right direction. Hope this helps

0 new messages