Re: How do I deal with remote non domain PC's

"Helpseta" <helpdesk@xxxxxxxxxxxxxxxxxxx> wrote in
news:1150371741.164277.253110@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:

Hey guys,

Got a MS question for you and hopefully you are able to point me in the
right direction.
We are using PIX VPN and are using MS IAS / RADIUS Server for
authentication. Clients are connecting with MS PPTP client.
To prevent remote non domain pc's from signing on as Anonymous to a
member file server, what would you use to authenticate? PKI
environment/Certificates or is IAS enough?

My problem is now that IAS gets them though the first door but if they
need to access other MS file servers they are being re-prompted for
credentials.

If anybody knows some How To documents for this implementation would be
much appreciated

Jan


Hi Jan --

When access clients attempt to connect through VPN PPTP connections and the
VPN server is configured as a RADIUS client to an IAS server, IAS
authenticates and authorizes the connection request, then sends an Access-
Accept or Access-Reject message to the VPN server, which allows or denies
the connection attempt accordingly.

In the case of an Access-Accept, after the connection is established, IAS
does not have anything to do with whether the access client or user has
permission to access shares on file servers, intranet web pages, or other
network resources -- and IAS does not perform authentication when VPN users
attempt to access these resources. This is true whether the authentication
method used is password-based or certificate-based.

When users attempt to access a network resource like a file share, they are
prompted for credentials and can select the option that the credentials are
remembered -- but each time they access a *different* resource they are
prompted again for credentials. These authentication processes are not
handled by IAS.

I am not sure how you can accomplish what you want to do, but it will
probably be helpful to you if you read up on access control lists,
Kerberos, and file sharing. A search in WS03 Help should turn up a good
deal of information on these topics.



--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • RE: VPN
    ... possible to verify the identity of the server". ... Authentication, the Internet Authentication Service need to be ... On the VPN server, click Start, click Run, type rrasmgmt.msc, and then ... Windows Authentication, under Accounting Provider, click to select Windows ...
    (microsoft.public.windows.server.sbs)
  • Re: 802.1x Wired Auth and Authentication
    ... is installed on the NPS or IAS server rejected the connection request. ... This means that you have an IAS authentication extension DLL installed. ...
    (microsoft.public.internet.radius)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: vpn authentication
    ... means that it will authenticate only local users on the machine and allow ... them to VPN in. ... If you want the domain users to VPN in then you need to use RADIUS server to ... accept authentication requests (which is configuring VPN Server to do RADIUS ...
    (microsoft.public.isa.vpn)
  • Re: Win2K3 domain account connecting to Win2K VPN server in an NT4
    ... - since the server is not in the AD domain, you can't add it to the AD ... NT4 accounts can still authenticate, ... I verified that my test accounts could connect to the VPN before migrating ... > The authentication server did not respond to authentication requests in a ... ...
    (microsoft.public.win2000.ras_routing)
Loading