Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco ACS Question
- Thread starter kcbs76
- Start date
jmconsulting
MIS
You have three options that I know of...I am not an expert but have spent alot of time researching and attempting to sett up a firewall over the past 6 months.
1. Establish a vpn tunnel from your clients to your firewall and preistablish a network authentication at the tunnel level. This allows your "trusted" users to connect via a preconfigured connection without presenting any AAA credentials during connection.
2. Require not only the tunnel connection creditentions, but you can also create a local data base on the PIX that requires both a user ID and password that is authenticated on the PIX. This provides two levels of autentication but requires three points of maintenance, (vpn client connection, pix authorization and then network permissions).
3. The best option is to have your Win2k server authenticate your users based on the active directory of your domain. This option makes a very basic assumption that you are running a Win2k/2k3 server running Active Directory (although there are other options, I would assume that this would be the one present). This provides two levels of authentication, first the VPN connection and then through your domain server. If you change/disable/delete any user on your domain, they will not be able to connect to your domain resourses bases on your domain settings.
Hope this helps....
Again, no expert, just been where you are now.....
1. Establish a vpn tunnel from your clients to your firewall and preistablish a network authentication at the tunnel level. This allows your "trusted" users to connect via a preconfigured connection without presenting any AAA credentials during connection.
2. Require not only the tunnel connection creditentions, but you can also create a local data base on the PIX that requires both a user ID and password that is authenticated on the PIX. This provides two levels of autentication but requires three points of maintenance, (vpn client connection, pix authorization and then network permissions).
3. The best option is to have your Win2k server authenticate your users based on the active directory of your domain. This option makes a very basic assumption that you are running a Win2k/2k3 server running Active Directory (although there are other options, I would assume that this would be the one present). This provides two levels of authentication, first the VPN connection and then through your domain server. If you change/disable/delete any user on your domain, they will not be able to connect to your domain resourses bases on your domain settings.
Hope this helps....
Again, no expert, just been where you are now.....
- Thread starter
- #3
jmconsulting
MIS
There is an ebook from syngress.com that has a fairly intesive esplanation of the PIX configurations. Checkout the syngress.com book list section and look for the PIC Firewalls ebook. Cheap investment....
- Status
Similar threads