Comments on: Cisco PIX VPN and Active Directory Integration

By: slowe

slowe — Tue, 08 Dec 2009 16:27:49 +0000

MAFHH,

Everything does route across the VPN. You’d need to configure the firewall for a split-tunnel VPN setup. There are numerous guides available online to help you with this configuration.

By: MAFHH

MAFHH — Tue, 08 Dec 2009 11:04:48 +0000

Hi,

The problem is once I am connected, I cannot access any internet ips (like google yahoo etc) as if my routing table routes everything over the vpn. How can I fix this?

By: Jeff

Jeff — Tue, 25 Aug 2009 14:56:57 +0000

Back on 9/6/2008 Peter asked about users being prompted to change their AD password when it has expired when AD is how they authenticate. I too would like to know if there is a way to make this happen. We use AD for authentication through the VPN, but users are not prompted to change their passwords when they expire.

We have the “Enable notification upon password expirtion to allow user to change password” checked, along with the “Enable notification prior to expiration” box under that with a “14″ day notify prior to expiraion. But the users never get notified that their password has either expired or is about to expire. We do not have the “Override account-disabled indication from AAA server” right above this checked.

Am I missing something to enable password expiration notifications?

By: fars

fars — Mon, 06 Apr 2009 04:36:51 +0000

Hi
I need help
i can telnet to pix with radius authentication but vpn connection failed with error 691 .
can help me?

By: drummelhart

drummelhart — Thu, 26 Mar 2009 00:14:15 +0000

has anyone successfully VPN’s using Vista?

I am having major problems with personnel

Any ideas?

By: slowe

slowe — Thu, 26 Feb 2009 03:08:19 +0000

Drummelhart,

I don’t think you’ll need ACLs for VPN users to access internal resources, but I could be wrong. It’s been a while since I messed with this.

Good luck!

By: drummelhart

drummelhart — Thu, 26 Feb 2009 00:18:02 +0000

once complete, will I need to make access lists allowing users with the ip network address to access servers IP addresses internally? I actually configured this beast in an hour, minus the extra acl’s

By: slowe

slowe — Wed, 25 Feb 2009 21:31:27 +0000

Drummelhart,

The secret key is for authentication between the Cisco firewall (RADIUS client) and the RADIUS server. It does nothing for user authentication whatsoever.

By: drummelhart

drummelhart — Wed, 25 Feb 2009 19:18:34 +0000

I have a question regarding the secret key, in the 2nd and 3rd line. So when built, my clients will need to type in a certain password, then AD will send them the challenge request, and once accepted they are in the network via VPN?

By: Chris

Chris — Fri, 14 Nov 2008 15:39:56 +0000

Does anyone know if it is possible/how to integrate Microsoft Active Directory into Cisco ASA/FWSM policies such that a particular rule in a policy could use an Active Directory group as a source instead of a list of static IP addresses?

We want to ensure the user is a particular user in a group, especially when they come from a Citrix host with multiple users on a single source IP.

Thanks in advance.