|
Question : Cisco 3020 VPN Concentrator Security Question
|
|
Hello,
We're testing out a 3020 Concentrator from Cisco for our VPN access to our users and business partners. We're trying to determine which is the best route to go with respect to Authentication, RADIUS or Kerberos/Active Directory. We've set up Microsoft IAS (RADIUS) server on one of our internal AD DC's and added the 3020 as a RADIUS client. The test group I created on the 3020 is set up to user RADIUS under the Authentication + Authorization tabs in the "Remote Access" page. We added the MS IAS RADIUS server with the shared secret key into the 3020.
I can't get it to work, but my real question is, which one is more secure, using RADIUS or using Kerberos/AD for authentication? Essentially, we want to set up groups on the 3020 for our business partners and allow for 2 factor authentication with our Active Directory. We would really like to go all the way and do Authorization and Accounting as well. Is RADIUS the way to go, or Kerberos/AD?
During our testing, we're seeing error messages in the system log for the IAS server stating the 3020 client is using PAP to authenticate and we've removed all authentication modes except MSCHAP v2.
Can't get anything to work. Any help suggestions would be appreciated.
|
Answer : Cisco 3020 VPN Concentrator Security Question
|
|
Okay, since as you said the domain controller communication is working fine. Can we have the policy *not* have the *MS-RAS-Vendor* attribute ? Instead of just add *Day Time* settings (I mean the logon hour restrictions and all all the time to be permitted). Just have one policy condition and be that the above.
On the PAP, You do have the Concentrator checked to use MSChapv2 right ? Quick double check?
Cheers,
Rajesh
|
|
|
|
|
