[VPN] A domain controller and Netscreen vpn configuration

TKoopman at SonicWALL.com TKoopman at SonicWALL.com
Thu Feb 13 19:07:38 EST 2003 

Yuval, 

I'll pitch in with some answers because this is not specifically a Netscreen question and more generally falls into Windows AD authentication through a VPN client.

Netscreen, and many others, use the Safenet client.  This client has an XAUTH agent built right into it.  The Netscreen can link a VPN client tunnel to a Radius Server.  Consult the Netscreen documentation or just click around until you find it.

So, the easiest way to accomplish your secondary authentication is to redirect to a Radius server.  The Radius server in turn is linked to your AD server.  The remote user will be presented with an additional username/password prompt and will enter their regular domain user name and password.

To make this all run smoother, the remote laptop or computer should be a member of the Domain.  The user will initially login with cached credentials, then establish the tunnel, be prompted for the Radius password, and then be on the network.

One note of caution.  You may run into Kerberos authentication issues if you are attempting to access network resources through this VPN client tunnel.

By default, the Kerberos packets are UDP packets until they exceed 2000 bytes.  This results in fragmented UDP packets which will not traverse the VPN client tunnel.  Search on Microsoft's technet for "Kerberos and VPN" and you will find several articles related to this.  The one you want tells you how to modify the registry to force Kerberos into a TCP packet and then it will traverse the tunnel without any problems.

I would not anticipate any severe difficulties in making all this work.  This is exactly what we do at SonicWALL (another firewall/vpn manufacturer) and with many of our customers.

Best Regards

TODD KOOPMAN
Systems Engineer
SonicWALL
tkoopman at sonicwall.com



-----Original Message-----
From: Yuval Ararat [mailto:yararat at go-documenta.com]
Sent: Thursday, February 13, 2003 2:48 PM
To: vpn at lists.shmoo.com
Subject: [VPN] A domain controller and Netscreen vpn configuration


Does any one on the list have any information about connecting Netscreen
XP5 device with a windows 2000 active directory for authentication and
logon of the road warriors. How do I configure it with the Netscreen
client and how do I configure it not to disturb the login process of the
client that has no network connection to the VPN?

Regards, Yuval Ararat 
Documenta LLC
www.documentausa.com


_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list