Re: IAS VPN authentication only grants access to domain if user has certificate
anonymous_at_discussions.microsoft.com
Date: 03/11/05
- Next message: Graham Turner: "IAS server log entry of 'Guest' access"
- Previous message: kapil [MSFT]: "Re: List of Event Viewer "Reason""
- In reply to: FenderAxe: "Re: IAS VPN authentication only grants access to domain if user has certificate"
- Next in thread: FenderAxe: "Re: IAS VPN authentication only grants access to domain if user has certificate"
- Reply: FenderAxe: "Re: IAS VPN authentication only grants access to domain if user has certificate"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 10 Mar 2005 21:48:21 -0800
The question is how does the non-PEAP (vpn connection)
authenticate a certificate against AD?
It seems that somehow the PEAP auth takes place even though
it is not specified.
So my question is at what point does the VPN connection use
the certificate?
The vpn checks against AD and allows connection based on
username/password. IAS then obviously continues to check if
the certificate is present. If it is the vpn user is logged
in to the domain. This is the non-documented piece.
Can someone explain?
>-----Original Message-----
>"Jon Clark" <ja1clark@yahoo.com> wrote in
>news:5f2601c52431$d9fea970$a401280a@phx.gbl:
>
>> I have Cisco PIX setup to use IAS as the Radius server. IAS
>> is also configured for EAP authentication from a
wireless AP.
>> Hence I have 2 clients specified (PIX and AP).
>>
>> I have 2 remote access policies in this order.
>> 1. check to see if client is 802.11 and request EAP
>> authentication
>> 2. default policy that allows 24 hour access and uses CHAP
>>
>> This all works fine - wireless users cannot connect to AP
>> w/o a user certificate.
>> VPN users are challenged with a username, password box
>> using Cisco VPN client.
>>
>> I can vpn to the PIX using a machine without a user
>> certificate and it grants me access to the IP network but I
>> have to reauthenticate to any domain resource as
>> DOMAIN\username.
>>
>> The Issue is: If I VPN from a machine that does have a
>> valid user certificate then it grants me access to the IP
>> network and the domain. This implies that the RADIUS has
>> authenticated AND AD has authenticated. How does this work
>> as I do not seen it in any documentation and obviously I am
>> not being given AD authentication w/o the certificate.
>>
>> Rgds, Jon
>>
>
>One auth method is cert-based (the EAP-TLS on the APs) and
one is password-
>based, right? So when you connect with a cert-based method
and your machine
>is challenged for credentials by a domain resource, the
machine
>automatically passes the cert and is authenticated. No
user interaction
>needed.
>
>This can't happen with the password-based auth method --
so the user is
>prompted to reenter credentials when connecting to a new
resource. Not
>sure, but there might be some simple setting to cache and
reuse the
>credentials, not sure with CHAP. (CHAP isn't very secure
you should upgrade
>to CHAPv2 or something. PEAP w/chapv2, maybe, if you can
use that with
>VPN.)
>
>So in both cases the RADIUS server has authenticated the
user against AD --
>the VPN user wouldn't be able to connect at all if this
weren't the case,
>authentication would fail and the IAS server would deny
the connection.
>
>
>x-- 100 Proof News - http://www.100ProofNews.com
>x-- 3,500+ Binary NewsGroups, and over 90,000 other groups
>x-- Access to over 1 Terabyte per Day - $8.95/Month
>x-- UNLIMITED DOWNLOAD
>
>.
>
- Next message: Graham Turner: "IAS server log entry of 'Guest' access"
- Previous message: kapil [MSFT]: "Re: List of Event Viewer "Reason""
- In reply to: FenderAxe: "Re: IAS VPN authentication only grants access to domain if user has certificate"
- Next in thread: FenderAxe: "Re: IAS VPN authentication only grants access to domain if user has certificate"
- Reply: FenderAxe: "Re: IAS VPN authentication only grants access to domain if user has certificate"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
