Comments on: Cisco PIX VPN and Active Directory Integration

By: Chris

Chris — Fri, 14 Nov 2008 15:39:56 +0000

Does anyone know if it is possible/how to integrate Microsoft Active Directory into Cisco ASA/FWSM policies such that a particular rule in a policy could use an Active Directory group as a source instead of a list of static IP addresses?

We want to ensure the user is a particular user in a group, especially when they come from a Citrix host with multiple users on a single source IP.

Thanks in advance.

By: Heino

Heino — Thu, 13 Nov 2008 10:30:10 +0000

Hi Peter,

will the Password change request from DC passed through to the Cisco CPN Client?

By: vpn service

vpn service — Thu, 02 Oct 2008 14:20:51 +0000

Hi,
What I have seen using internal dhcp seems to be problematic.
If you have any solutions for that, I had to hear them

By: Peter

Peter — Sat, 06 Sep 2008 12:43:05 +0000

Hi Scott,
I am new to this Blog and i have a question related to the AD Auth over PIX.
A Remote User did not log into the AD for a certain time and his password in AD has expired and needs to be changed.
Usually he will be asked to change his password when he is logging on in the Domain on Local LAN.
But what about remote users?
VPN Client Ver.5 from CISCO and the Firewall is a PIX 506e with 6.3.
AD Authentication is allready working fine.
Is there a way that the user will be asked to change his Password because it has expired? As Domain Server we use Windows 2008 Enterprise and Winows XP as Client.

By: Jared

Jared — Wed, 04 Jun 2008 15:15:42 +0000

Good read, everything worked and I can connect into my network with no issue.

The problem is once I am connected, I cannot access any internet ips (like google yahoo etc) as if my routing table routes everything over the vpn. How can I fix this?

By: David

David — Thu, 17 Apr 2008 23:17:39 +0000

Hi guys,

I am an IT manager trying to implement Cisco IPSEC VPN access along with including Windows Networking. So, users remotely can browse our Network Neighborhood or access servers/desktops using their NETBIOS names. I have not found any solid documentation on this type of implementation. I am using an ASA/PIX 5510 IOS 8.0.3 This is a 2nd gen PIX. Any help?

By: slowe

slowe — Sat, 26 Jan 2008 14:40:09 +0000

Jo,

From what I’ve seen, using internal DHCP seems to be problematic. If you have any solutions for that, I’d love to hear them!

By: Jo

Jo — Sat, 26 Jan 2008 12:55:43 +0000

Sure you can use AD to authenticate VPN clients via PIX. I’m using Cisco Secure ACS Engine Solution as a RADIUS and a Cisco Remote Client comes with it and it’s installed on a member AD server. Works great.

Before that I was using Cisco Secure ACS software and to be honest I like it better because it doesn’t require an additional client and once installed on a machine which is part of AD works great.

Back there (3 years ago) the ACS software was working only on MS WIN 2000 Server. I don’t know what is the situation today but my new Solution Engine is running Win 2000 as well. I do not have access to the OS which is somehow good. The box is independent.

ACS could be used for any device on your network including switches/routers etc, anything that could use RADIUS or TACACS. Very useful appliance. A bit expensive… mine came in for $8500.

Does anybody use internal DHCP?

By: ScottG

ScottG — Thu, 03 Jan 2008 18:40:19 +0000

Has anyone got this going with IPSec? I have a PIX running IOS 7.1. I want to eliminate group authentication on the PIX and have VPN clients authenticated against AD. Can I do this using the radius server or do I need something else?

Thanks.

By: Fred

Fred — Fri, 12 Oct 2007 20:53:46 +0000

Tom,

IPSec is a whole nother ball game. The commands above won’t help at all with IPSec VPN.