[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Curt Shaffer <cshaffer at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Radius Authentication
 Date:  Mon, 23 Aug 2004 19:09:41 -0400
> -----Original Message-----
> From: Curt Shaffer [mailto:cshaffer at gmail dot com]
> Sent: Thursday, August 19, 2004 6:00 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Radius Authentication
> 
> I had a quick question for anyone out there running a windows network behind
> m0n0. I have a multi site ipsec VPN set up and it is working great! The DC's
> are talking happily, the SQL is replicating happily, and DFS is working like
> a dream. Now I have the need to let some people in from home to run an
> application. Some are on dial up, some on cable,dsl etc. All different OSes
> from 98 to Macintosh. I only have 10 people that need in, so I want to keep
> it as administratively simple as possible (Mostly meaning that I don't want
> to have to put m0n0's at everyone's homes). So I was going to have them log
> in with PPTP to the m0n0's. I don't want them to use the same UN's and
> passwords as they do in the office, but I don't want them to have to re
> authenticate to access drives and such. My question is: If I have the PPTP
> from the m0n0 authenticate against the Radius on the servers, are those
> users considered authenticated users in the eyes of windows so that I can
> set the permissions on files/folders with the authenticated users group so
> they will not have to authenticate again?
> Thanks for all of your help
> 

You can set up the PPTP VPN to authenticate off of RADIUS on one of
your DC's.  I'm using this setup in a couple different network
environments and it works great.  But to answer your question,
authenticating via RADIUS on the VPN connection is not going to
authenticate them to the domain to access network resources.  The
RADIUS auth is simply to establish the VPN connection.  From there,
the user would have to authenticate against the DC again to access
network resources.

As a previous poster suggested, Citrix is a great way to go, though
it'll cost you a bit.  Terminal Services isn't as nice, but will get
the job done.  It also isn't exactly cheap.  I generally set up most
clients on Citrix that want a full featured remote access environment.
 That will work, for the most part, equally well no matter your
connection speed.  Depending on the application, it might not be
feasible to run it over VPN on dial up, or even on broadband.

Also keep in mind remote users connecting into your network via PPTP
have TCP/IP access to your network, so that could be a gateway into
your network for worms and viruses.  With the way Citrix works, it is
far less likely that it could bring that junk in.

-Chris