| Ashwin Palekar\(MS\) 2004-02-16, 5:33 pm |
| This is exactly the mess that EAP is designed to prevent. Consider using
equipment that supports EAP so that authentication deployment becomes easier
and you can manage all access from a single place. e.g. L2TP/IPSEC supports
EAP.
Create a IAS remote access policy to verify that user is member of certain
group before granting access. You can create different policies for VPN and
dial-up.
If you use EAP-authentication, then install RSA SecureID pack (which
contains EAP module) on IAS server and Windows client. For Smartcard, there
isn't any need to deploy EAP modules on IAS and Windows clients since these
are supported out of the box.
If you are not using EAP authentication then deployment is more difficult
For SecureID: you will need IAS + SecureID RADIUS server (or any other
RADIUS server that supports SecureID). Configure connection-request-policy
in IAS to forward authentication to remote RADIUS server (select SecureID
RADIUS server); and configure connection request policy to also check
against Windows Account. For the second part: set the
Remote-RADIUS-to-Windows mapping attribute in connection-request-policy
advanced tab.
For Smartcards: If you are using Smartcards or certificates without EAP,
then you are out of luck.
--
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Minal" <minalkc@rediffmail.com> wrote in message
news:6715290d.0402162233.39a72ea0@posting.google.com...
> 1. cisco PIX Firewall with RSA SecurID Authentication
>
> cisco PIX firewall supports AAA using RADIUS & TACACS+ for connections
> passing through the firewall. When user initiates a connection that
> passes through the firewall to access certain applications, the
> connection matches an ACL. To authenticate the users who access
> specific applications, the connections matching the ACLs trigger the
> AAA. The PIX passes the Authentication request in the form of Username
> & RSA Passcode to RSA SecurID. If passcode is correct, RSA sends
> accept message to PIX which allows the connection through the firewall
> to pass and the user can access the application. Users are only
> configured in the RSA SecurID server. The PIX configuration can decide
> whether to send Authentication or Authorization request to RADIUS or
> TACACS+ server. How to use and configure IAS 2003 to verify whether
> the user is a member of the "Specific Application Users" group in the
> Microsoft A.D. before the PIX permits access to the application
> through the firewall.
>
> 2. cisco VPN Concentrator with RSA SecurID Authentication
>
> VPN Concentrator forwards user authentication request in form of
> Username & RSA Passcode to the RSA SecurID (SDI) server. RSA SecurID
> server checks the token passcode of the users and concentrator grants
> VPN access. Users are only configured in the RSA SecurID server. The
> VPN Concentrator only has IPSEC Groups where the authentication and
> authorization requirements of the members of the group can be
> specified. The VPN Concentrator supports RADIUS, NT Domain, SDI &
> Kerberos / Active Directory Authentication methods & RADIUS & LDAP
> Authorization methods. Concentrator can pass a common user password to
> any configured RADIUS Authorization server. How to use and configure
> IAS 2003 to verify whether the user is a member of the "Telecommuters"
> group in the Microsoft A.D. before granting VPN access.
>
> 3. cisco VPN Concentrator with Smartcard Authentication
>
> VPN concentrator has Identity certificate and VPN users have
> smartcards having the personal certificate issued by the same CA.
> Concentrator authenticates the user by validating the personal
> certificate of the user and checking the specified CRL using HTTP. The
> users are only configured in the Microsoft A.D. The concentrator only
> has IPSEC Groups where the authentication and authorization can be
> specified. The VPN Concentrator supports RADIUS, NT Domain, SDI &
> Kerberos / Active Directory Authentication methods & RADIUS & LDAP
> Authorization methods. How to use and configure IAS 2003 to verify
> whether the user is a member of the "Telecommuters" group in the
> Microsoft A.D. before granting VPN access.
>
> Thanks in advance for your valuable help.
|