Re: IAS Server and Cisco VPN Concentrator

Here is a follow up post to where I stand.......please help...

Hello,

We're testing out a 3020 Concentrator from Cisco for our VPN access to our
users and business partners. We're trying to determine which is the best
route to go with respect to Authentication, RADIUS or Kerberos/Active
Directory. We've set up Microsoft IAS (RADIUS) server on one of our
internal AD DC's and added the 3020 as a RADIUS client. The test group I
created on the 3020 is set up to user RADIUS under the Authentication +
Authorization tabs in the "Remote Access" page. We added the MS IAS RADIUS
server with the shared secret key into the 3020.

I can't get it to work, but my real question is, which one is more secure,
using RADIUS or using Kerberos/AD for authentication? Essentially, we want
to set up groups on the 3020 for our business partners and allow for 2
factor authentication with our Active Directory. We would really like to go
all the way and do Authorization and Accounting as well. Is RADIUS the way
to go, or Kerberos/AD?

During our testing, we're seeing error messages in the system log for the
IAS server stating the 3020 client is using PAP to authenticate and we've
removed all authentication modes except MSCHAP v2.

Can't get anything to work. Any help suggestions would be appreciated.


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:u$OLY5ZIGHA.2704@xxxxxxxxxxxxxxxxxxxxxxx
>I have used Cisco VPN concentrator and it works fine with IAS on AD
>including (IIRC) certificate authentication.
>
> RADIUS articles @Cisco incl. IAS configs:
>
> http://cco.cisco.com/en/US/tech/tk583/tk547/tsd_technology_support_sub-protocol_home.html
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "msadexchman" <msadexchman@xxxxxxxxx> wrote in message
> news:uiHvcoIIGHA.532@xxxxxxxxxxxxxxxxxxxxxxx
>> Hello,
>>
>> We are presently testing a Cisco 3020 VPN Concentrator to replace our
>> existing VPN solution. One of the things we would like to roll out is
>> some two factor authentication with our Active Directory. Has anyone
>> deployed MS's RADIUS solution of IAS Server in conjunction with a Cisco
>> 3020 VPN Concentrator? Do we simply configure the IAS service on one of
>> our internal AD domain controllers? What type of ports do we have to
>> open up from the DMZ where Concentrator resides to our internal AD? Any
>> input would be greatly appreciated.
>>
>> Regards
>>
>
>


.

Relevant Pages