Firewall Wizards mailing list archives
Re: ASA authentication via MS ISA vs. MS AD
From: "Sanford Reed" <sanford.reed () cox net>
Date: Tue, 18 Mar 2008 13:37:37 -0400
First it is Internet Authentication Service (IAS) not Microsoft Internet Security and Acceleration Server (ISA Server) Microsoft Internet Security and Acceleration Server (ISA Server) is described by Microsoft as an "integrated edge security gateway". Basically ISA is a firewall, Internet Access control, and Internet Content control Server that 'grew' out of the old MS Proxy Server. The Internet Authentication Service (IAS), an implementation of RADIUS server. IAS supports authentication for Windows-based clients, as well as for third-party clients that adhere to the RADIUS standard. IAS stores its authentication information in Active Directory, and can be managed with Remote Access Policies. In Windows Server 2008, Network Policy Server (NPS) replaces the Internet Authentication Service (IAS). It really depends on where the VPN Client terminates. 1. If you are using the Cisco VPN client then I would set up the ASA to use Radius (MS IAS) to authenticate the VPN users. This gives you 2 token auth as the client software authenticates to the HW with a group name and certificate or fixed key. This auth data can be distributed periodically in a pre-encrypted file by emailing a self-extracting PW protected file to the VPN users with simple instructions how and when to import it into the client software. 2. The second auth token occurs as soon as the software connects the ASA will query the client for the User name and PW of the VPN User (Human) and pass that info to the IAS Radius) Server which will verify it against AD. You create a security group and control group membership and permissions to control VPN Access. Using radius if you have someone removed from VPN Access you simply remove them from the VPN Security Group and they lose access immediately. This way you don't have to figure out how to retrieve the client software to stop their access. This user name/pw transaction is via an encrypted tunnel between the user's PC (Client SW) and the ASA so it doesn't matter if the end user's transmission is intercepted. The other Bennie is that the End user only has to remember his/her network user name and pw. One drawback to Radius is that the 'discussion' between ASA and IAS is NOT encrypted but in its defense it occurs behind the FW within your own network. If the VPN terminates on you ISA Server then the same basic process occurs between it and the AD. The biggest diff is the ISA Server queries AD direct. VPN User management is generally the same within AD -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Brian Loe Sent: Monday, March 17, 2008 5:05 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] ASA authentication via MS ISA vs. MS AD Does anyone here have an opinion on whether it is better to authenticate VPN users with ISA or AD via an ASA? What do you see as the pros and cons? Has anyone here configured it for AD? If so, by what means did you limit access to VPN for specific users? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ASA authentication via MS ISA vs. MS AD Brian Loe (Mar 18)
- Re: ASA authentication via MS ISA vs. MS AD Sanford Reed (Mar 19)