I'm trying to set up the Cisco VPN on a PIX 515e, running 7.0(4)2 to use Kerberos authentication (via our Windows 2000 Server), using the Cisco VPN client.
I got the VPN to work with both the local authentication (the local user database on the PIX), and with NT authentication, but what we really want is to use Kerberos authentication.
I set up the VPN using the ASDM VPN Wizard, which seems to work great, other than this Kerberos issue, and so I'll only list the parameters (and the responses I give) on the Wizard page that deals with AAA.
Field on the VPN wizard My response ---- ---- Server Group Name MyServerGroup Authentication Protocol Kereberos Server IP address A.B.C.D (IP address of the Windows server we use for authentication) Interface inside (because our windows server is on the "inside" network) Server Realm Name OURDOMAIN.NET (where our domain is "OurDomain.net")
I read the Kerberos Realm is traditionally the uppercase of the Windows domainname. The rest of the configuration is not related to just Kerberos, but the VPN in general, and seems to work. And I enter that as I always do.
That given, attempting to connect with the Cisco VPN Client fails very quickly. So quickly that I don't think the authenttication failing on the Windows server. But rather the PIX is failing to connect to the Windows server. The error number on the client is 413, as would be expected in this case.
Thanks in advance for any suggestions.
B Squared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "We've got to pause and ask ourselves: How much clean air do we need?" --Lee Iacocca, making excuses over Detroit's resistance to tougher automobile emission standards, 1974.