[unisog] Cisco VPN concentrators and AD

H. Morrow Long morrow.long at yale.edu
Fri Jan 18 00:58:31 GMT 2002

Yes, we use a Cisco VPN server 3030 (and have just
acquired another as a backup).  It has been in use
almost a year.  We are running 3.0.* in production
and testing the 3.5 version of the software.

We use it primarily in PPTP mode currently but plan
heavy IPSEC use.

We have it authenticate against our main W2K AD
domain for authentication by running the M$ RADIUS
server (IAS - Internet Authentication Service) on
our AD servers.  The M$ RADIUS servers support special
extensions for M$ NT/W2K domains so that you can 
support MSCHAPv1 and MSCHAPv2 authentication for 
increased security as well as PPTP encryption (the 
Cisco 30xx services can do both 40bit and 128bit
PPTP encryption).

Be aware that if you try to use NT domain authentication
from the Cisco 30xx directly to a NT DC or W2K AD
server then you will not be able to do PPTP encryption
(sounds wierd doesn't it -- but the VPN server isn't
able to get the initialization vector it needs --as a
seed-- derived from the password string if the PC VPN
client is doing passthru MSCHAP to a DC or AD). 

So you have to use M$ RADIUS or a RADIUS server supporting
the M$ (MSCHAP extensions) to do what you want generally
(you don't want to use PPTP without encryption just as you
don't want to do regular PAP or passwords in the clear...).

- H. Morrow Long
  University Information Security Officer

Russell Fulton wrote:
> Is anyone useing Cisco VPN 3000 concentrators and authenticating
> directly against MS Active Directory.  The general CISCO blurb says it
> is possible and the sales people assure us it is possible but we can't
> find anything in the docs or the configuration.
> There is an option for NT Domain but we would prefer to use our campus
> wide AD service.
> On a more general note any experiences with the Cisco VPN gear -- what
> client software are people using on various systems.
> Windows Native IP Sec
> linux  freeswan
> Mac    ???
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2663 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020117/8d9496a5/smime-0007.bin

More information about the unisog mailing list