1. Home
  2. Cisco Systems
  3. VPN3000 Question

VPN3000 Question

Guys

I'm setting up a VPN3000 Series VPN concentrator

I have initially setup the user authentication on the unit itself, this was done as we had less than 20 users on the unit who were test bedding the system

I have now offered this service out to around 1000 of users users and have come in work today with over 100 requests for this service (allowing them to work from home)

I've noticed that under the authentication settings I can allow "Windows NT", it looks like the settings are looking for an AD server

My question is:

If I change the settings in the authentication box to point to "Windows NT" do I immidiatley lose the users (and passwords) in the VPN server or if I decide that I have chosen the wrong option and I change it back will I still have these users and not have to re-create all the users again

I'd be interested in trying this but do want to "just try" incase I seriously upset my userbase

TIA

Steve

Reply to
Steve Ray
Loading thread data ...

Not sure if they will save or not, but you should be able to backup your user database and config prior to the change and restore immediately upon issues. Check out that option and let us know.

Reply to
Trendkill

If you would like to try it out, create another group to test. It actually works fine. Creating additional groups are easy. Once you are comfortable, you can then move users into a "production" group as is convenient.

We didn't use straight AD authentication because we wanted to strictly authorize who could access our network with the VPN.

If you are an MS AD shop, think about using IAS/RADIUS and create an AD group that has the users whom you wish to access the VPN. One nice feature is that RADIUS with expiry allows the remote access user to change an expired domain password. Very convenient.

We settled on mutual authenticaton with a MS machine or user cert issued by our internal PKI and the RADIUS authentication. An easy to understand, two-factor authentication.

good luck.

Reply to
notaccie

This is great,

I'll give this a go

Steve

Reply to
Steve Ray

This is great,

I'll give this a go

Steve

Reply to
Steve Ray

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.