In article , Christoph Gartmann wrote: :In article , student/u16035 writes: :>where are the user database store?
:>Pix or Radius?
:Radius. The pix contacts the Radius server. But this doesn't make any :difference for the remote client.
Actually it does. Any of the PIX series (including the 501) can be configured to contact a remote radius server to authenticate outgoing user traffic. If you were to provide the users with
501's, then the goal of requiring the user to have both the device and the ID+password would be reached, without the theoretical difficulty of wanting a security-gateway to security-gateway (LAN to LAN) to be able to perform username/ password prompting all the way back from the remote gateway to the user's -host- (which is a host to gateway function instead of a gateway to gateway function.)
If I recall correctly, instead of a PIX series, you could also use a Linksys BEFVP41 with radius authentication. The BEFVP41 has no problems connecting to a remote PIX (unless said PIX is demanding AES). I have experienced a very small number of connection hangs with the BEFVP41. There is also the BEFXS41, able to handle two VPN tunnels, but I had connection hangs every few days with it; the higher quality of the BEFVP41 is worth the price difference.