Re: Single logon authentication with Pix firewall.

From: Mark Addiss (markaddiss@netscape.net)
Date: 12/27/01 

From: Mark Addiss <markaddiss@netscape.net>
Date: Thu, 27 Dec 2001 21:44:09 GMT

Mark,

I have done this "the other way round", where my Windows users come into a
PIX VPN using either their NT Domain username/password or SecurID keyfobs.
The software I used was the CISCO ACS, which let me allocate ACL to groups
or individual users. I guess you should be able to authenticate outgoing
connections in the same way.

Regards
Mark

mark@mrctek.com (Mark Rousell) wrote in
news:memo.20011227200843.1228A@ekp.cix.co.uk:

> I wonder if anyone knows of some software which will help with this...
>
> I have LAN users who log on to either a Windows NT Domain or Active
> Directory. They may log on from any workstation on the LAN. The LAN has
> Internet access controlled by a Pix firewall. My requirement is for the
> users' act of logging on (and off) to set their outgoing access
> privileges through the Pix. I do not want them to have to authenticate
> themselves separately on the Pix - I want everything to be set with a
> single logon/off to the Windows workstation.
>
> So what I need is a piece of software that will watch for logons and
> logoffs on the Domain/AD controller, and then send the appropriate
> user's outgoing access authorisation settings to the Pix for use on the
> user's workstation's IP address for that particular session. At the end
> of the session, the software would remove outgoing access for the
> workstation's IP address (until another user logged into it).
>
> Does anyone know of software to do this? It's a fairly simple
> requirement that should be possible.
>
> There is at least one firewall, the NetGuard GuardianPro that provides
> a similar facility - it has 'Authentication Clients' which run on a
> Windows PC which allow the user to identify and authenticate themselves
> with the firewall, and then be granted their own individual access
> rights. However, this software still does not allow a *single* logon
> and it won't work with a Pix.
>
> Any ideas?
>
>
> Mark
>

Relevant Pages

  • Single logon authentication with Pix firewall.
    ... I have LAN users who log on to either a Windows NT Domain or Active ... Internet access controlled by a Pix firewall. ... users' act of logging on to set their outgoing access privileges ...
    (comp.security.firewalls)
  • AD VPN issue
    ... I have a strange error on one of my subnets connected vith VPN (PIX 501 to ... to a windows 2003 server. ... Windows cannot obtain the domain controller name for your computer network. ... everything seems to work fine but theese error ...
    (microsoft.public.windows.server.active_directory)
  • Re: Computer in lobby
    ... I would not allow the system access to the domain ... So in that type of situation I might reserve an IP out of the PIX for the CE ... > It needs to have limited internet access (only accessible to certain ... > The standalone is a Windows XP home edition. ...
    (microsoft.public.windows.server.sbs)
  • Re: firewall ports
    ... Is this Microsoft Windows systems involved? ... -tends- to allocate the lowest unused port number from 1024 upwards, ... they occur as a result of a negotiation process that the PIX can ... Windows Exchange 2000 Server, then you will never get this right, ...
    (comp.dcom.sys.cisco)
  • Re: PIX 501 VPN RAS
    ... Terminal Server and be able to access any drive on any server on our ... > So the Pix itself is behind NAT. ... > Forget about L2TP over native IPSec (Windows VPN) ... PIX 7.0 does not support L2TP over ...
    (comp.dcom.sys.cisco)