RE: User Authentication Question

From: Sergey Golovanov (sergey.golovanov@iementor.com)
Date: Wed Mar 28 2007 - 03:31:06 ART

• Next message: Trying CCIE: "Very high CPU utilization on BGP router"
• Previous message: Digital Yemeni: "Re: 1st Lab Attempt - Once Beaten, Twice Bold!!"
• Maybe in reply to: Ye Tian: "User Authentication Question"
• Next in thread: Radioactive Frog: "Re: User Authentication Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

IAS... Yuk! :) just keep in mind, that in certain situations when using chap or dhchap (mds san-os fcsp) password methods, you might need to enable windows policy feature called "store password using reversible encryption for all users in the domain". It's needed so that windows keeps the unencrypted version of the password for each user. By default, it's disabled and windows stores passwords using its own hashing algorithm. This feauture can be configured for the entire AD domain if the server is part of it, or you can enable it individually on each server. Go to cp > admin tools > local security policy > security settings > account policies > password policy and set the above mentioned feature to enabled. Right click on "security settings" and click reload. If you already have created user accounts, make sure to reset their passwords after enabling this password policy.

In either case you can check if the problem exists by checking event viewer system log. You would see the "IAS" warning messages when authentication has failed because of this issue.

-------------------------
Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
"Please, don't ask me for my ccie #, there are reasons why I can't release it"
ieMentor Instructor and Content Developer
www.iementor.com

-----Original Message-----
From: Sean.Zimmerman@clubcorp.com
To: "Ye Tian" <emaomi@gmail.com>
Cc: "ccielab@groupstudy.com" <ccielab@groupstudy.com>
Sent: 3/27/07 9:00 PM
Subject: Re: User Authentication Question

If ACS is out of reach and you're not allergic to Microsoft products, you
can run RADIUS on IAS for authentication. Should be a free add-on with
W2k3 standard or better.

Sean

"Ye Tian" <emaomi@gmail.com>
Sent by: nobody@groupstudy.com
03/27/2007 04:41 PM
Please respond to
"Ye Tian" <emaomi@gmail.com>

To
"ccielab@groupstudy.com" <ccielab@groupstudy.com>
cc

Subject
User Authentication Question

Hi,

I want to use domain controller user database to authenticate Remote VPN
user login. Could somebody show me the configuration on Cisco 1821 VPN
router?

Thanks!

• Next message: Trying CCIE: "Very high CPU utilization on BGP router"
• Previous message: Digital Yemeni: "Re: 1st Lab Attempt - Once Beaten, Twice Bold!!"
• Maybe in reply to: Ye Tian: "User Authentication Question"
• Next in thread: Radioactive Frog: "Re: User Authentication Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:53 ART