[VPN] cisco limitations
Adam Safier
safieradam at hotmail.com
Tue Sep 24 22:47:34 EDT 2002
I agree that Cisco VPN 3K does not talk to an LDAP directly, except to fetch
CRL's. You need a smart auth box in the middle.
I admit I have not tried this yet, but I would think that you could set up
one group to do plain PKI and another to use Radius or other external auth
servers and maybe even some interall user ID's.
Adam
GSS-Inc
----- Original Message -----
From: "Siddhartha Jain" <losttoy2000 at yahoo.co.uk>
To: "Adam Safier" <safieradam at hotmail.com>; "Watson, Travis"
<Travis.Watson at Honeywell.com>; <vpn at lists.shmoo.com>
Sent: Tuesday, September 24, 2002 12:48 AM
Subject: Re: [VPN] cisco limitations
> Ok. To be more specific.
>
> Do you want every user to do PKI+Username/password
> OR
> Do you want some users to use PKI and some users to
> use username/password?
>
> Either ways it is possible.
>
> If your username/passwords are stored on LDAP, then
> you need a RADIUS/TACACS+ server which can talk to
> LDAP since VPN 3000 will not directly talk to LDAP. An
> example of RADIUS/TACACS+ is Cisco ACS. You may very
> well use MS RADIUS assuming it integrates with MS ADS.
More information about the VPN
mailing list