Re: VPN client are prompted for username/password

---

• From: "ZVR" <no_spam_ever@xxxxxx>
• Date: Thu, 16 Mar 2006 18:02:14 -0500

---

Phillip is entirely correct, however you could add "Authenticated Users" to
the rule instead of "All Users", in which case users authenticated by any
entity (ISA included) will be allowed access - so you will be able to track
who uses what.

Virgil



"Phillip Windell" <@.> wrote in message
news:OvAX4gUSGHA.6084@xxxxxxxxxxxxxxxxxxxxxxx

Unless the users machine's they are sitting at are Members of the Domain,
and the users log in with Domain Accounts,...this is the way it is
supposed
to behave.

The credentials they use to establish the VPN connection do only
that,..they
establish the VPN connection,...that does not "log them onto the Domain".

At our place the Users are using their work laptops that are already
members
of the domain and the users are logging into the laptops with thier
"cached"
domain account. They can use any valid credentials to establish the
VPN,..but the actual domain authentication goes by their cached domain
account,...so they don't get the prompt. Whatever credentials they used
to
established the VPN link with become irrelevant after the link is
established.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Rob Pijpers" <RobPijpers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C5B66BFC-CE0D-4DF2-BE7F-D0B34AE63F27@xxxxxxxxxxxxxxxx

We have the following situation, VPN users connect to an ISA 2004 SE and

are

routed to the internal network, this works fine. RSA is used in the
authentication process and this firewall handles only VPN traffic. If the

VPN

users want to go to the internet they connect to an ISA 2004 EE cluster
(2
nodes). When they do they are prompted for username/password.
Regarding the username/password entered they can't connect to the

internet.

The rule allowing access to internet permits users of an AD group to get

to

the internet, this works fine for the client on the internal network.
The only way to get the VPN users to the internet is to add the ISA

buildin

All users group to the rule. The disadvantage is that all users get
unauthenticated to the internet.
So what is going wrong here?

.

---

• Follow-Ups:
  • Re: VPN client are prompted for username/password
    • From: Rob Pijpers

• Prev by Date: Re: Activesync and ISA 2004 SP1 FBA compatability
• Next by Date: Re: Need to find out the IP of someone trying to hack a server
• Previous by thread: Users still connecting to proxy after removal
• Next by thread: Re: VPN client are prompted for username/password
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: 802.1x authentication for wireless issues w/ ISA 2004 ... Implement 802.1X authentication with IAS as provided by microsoft. ... Configure ISA 2004 to use radius-authenication via IAS for VPN ... (microsoft.public.windows.server.sbs) Re: OT: SonicWALL TZ 170 ... So I currently have RADIUS two-factor authentication where users ... the SBS 4.5 days, will only pass one VPN user through to the SBS at a time. ... they can't get to ISA to even attempt a login. ... (microsoft.public.backoffice.smallbiz2000) VPN certificate login problem ... I am currently using ISA 2004 VPN with EAP certificate Authentication PPTP ... I set up certificates fine on ISA box and client according to the VPN rev ... (microsoft.public.isaserver) Re: ISA2004 having problems with CISCO ACS server ... ISA is not involved with the initial VPN connection or authentication. ... authentication server to support our radius needs. ... (microsoft.public.isa.vpn) VPN login problem ... I am currently using ISA 2004 VPN with EAP certificate Authentication PPTP ... I set up certificates fine on ISA box and client according to the VPN rev ... (microsoft.public.isa.vpn)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa  > 2006-03