VPN to Windows Network with ACE/SecurID

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

Apologies that this is not strictly a Windows question, but I am sure
someone here must have done this and can help.

I am about to implement a remote access solution which involves broadband
users accessing our internal Windows network via internet VPN. The
infrastructure for this is going to be PIX F/W and Cisco VPN
concentrator/Cisco secure and an RSA/ACE server to provide the strong
2-factor token authentication.
My question is this .... WHen the user VPN client establishes the VPN
connection and is routed to the ACE server is there a way to perform the
domain logon at the same time?
I know ACE can use LDAP to obtain AD users and store them into the ACE
database, but asaik this is just username harvesting to ensure users dont
have a seperate ACE login as well as their windows login.

ANy assistance greatly appreciated

GB

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

gjb wrote:

<snip>
> My question is this .... WHen the user VPN client establishes the VPN
> connection and is routed to the ACE server is there a way to perform
> the domain logon at the same time?

I figure you've probably reached out to the RSA Tech Support guys for
help on this by now, but if you have not, you might want to check out
RSA's new SecurID for Windows (SID4Win) infrastructure
<http://tinyurl.com/476wy>, and ask your RSA SSE or Customer Support if
it could help you address this issue.

The attention on RSA's SID4Win has largely focused on the way it
permits the replacement of the static password with an RSA SecurID as
native authentication for Windows XP machines (even when those PCs are
temporarily disconnected from the Net). With the RSA Authentication
Manager v. 6 (aka the latest & greatest ACE/Server), and the
appropriate ACE Authentication Agents, SID4Win can also integrate the
Domain logon and the local PC logon.

I frankly don't know how or if a VPN client would be integrated into
this, but others must have raised the same issue for corporate road
warriors.

Here's a rough sketch for how SID4Win handles the Domain logon and the
local XP Windows logon:

A user's PC, loaded with the RSA ACE/Agent Domain Authentication
Component, prompts a user for a SecurID two-factor passcode and sends
it to the DC via SSL. The Domain Controller (with RSA's ACE/Agent
Domain Authentication Server Component and Client Component) in turn
send the user's name and passcode to the RSA Authentication Manager
(aka ACE/Server.) If the passcode is correct, the user gains access to
domain resources and the RAM sends its stored copy of the Windows
password to the Windows logon process to open the door.

I've been consultant to RSA for many years, but I've never set on of
these up. You really want to talk to an RSA tech support guy to get
your options for your specific environment. I'm not sure of current
pricing either, but for several months RSA has been offering all these
new agents available free for most v6 RAM servers.

Suerte,
_Vin