VPN to Windows Network with ACE/SecurID

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

Apologies that this is not strictly a Windows question, but I am sure
someone here must have done this and can help.

I am about to implement a remote access solution which involves broadband
users accessing our internal Windows network via internet VPN. The
infrastructure for this is going to be PIX F/W and Cisco VPN
concentrator/Cisco secure and an RSA/ACE server to provide the strong
2-factor token authentication.
My question is this .... WHen the user VPN client establishes the VPN
connection and is routed to the ACE server is there a way to perform the
domain logon at the same time?
I know ACE can use LDAP to obtain AD users and store them into the ACE
database, but asaik this is just username harvesting to ensure users dont
have a seperate ACE login as well as their windows login.

ANy assistance greatly appreciated

GB
1 answer Last reply
More about windows network securid
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    gjb wrote:

    <snip>
    > My question is this .... WHen the user VPN client establishes the VPN
    > connection and is routed to the ACE server is there a way to perform
    > the domain logon at the same time?

    I figure you've probably reached out to the RSA Tech Support guys for
    help on this by now, but if you have not, you might want to check out
    RSA's new SecurID for Windows (SID4Win) infrastructure
    <http://tinyurl.com/476wy>, and ask your RSA SSE or Customer Support if
    it could help you address this issue.

    The attention on RSA's SID4Win has largely focused on the way it
    permits the replacement of the static password with an RSA SecurID as
    native authentication for Windows XP machines (even when those PCs are
    temporarily disconnected from the Net). With the RSA Authentication
    Manager v. 6 (aka the latest & greatest ACE/Server), and the
    appropriate ACE Authentication Agents, SID4Win can also integrate the
    Domain logon and the local PC logon.

    I frankly don't know how or if a VPN client would be integrated into
    this, but others must have raised the same issue for corporate road
    warriors.

    Here's a rough sketch for how SID4Win handles the Domain logon and the
    local XP Windows logon:

    A user's PC, loaded with the RSA ACE/Agent Domain Authentication
    Component, prompts a user for a SecurID two-factor passcode and sends
    it to the DC via SSL. The Domain Controller (with RSA's ACE/Agent
    Domain Authentication Server Component and Client Component) in turn
    send the user's name and passcode to the RSA Authentication Manager
    (aka ACE/Server.) If the passcode is correct, the user gains access to
    domain resources and the RAM sends its stored copy of the Windows
    password to the Windows logon process to open the door.

    I've been consultant to RSA for many years, but I've never set on of
    these up. You really want to talk to an RSA tech support guy to get
    your options for your specific environment. I'm not sure of current
    pricing either, but for several months RSA has been offering all these
    new agents available free for most v6 RAM servers.

    Suerte,
    _Vin
Ask a new question

Read More

VPN Windows