I enabled the RADIUS and connected successfully. The users do have
access tokens to access domain resources that their RADIUS users have
access to. It is working great! Just thought I would let you all know.
Thanks for all of you help and suggestions!
Curt Shaffer, MCP
Chilitech Internet Solutions
On Mon, 23 Aug 2004 19:09:41 -0400, Chris Buechler <cbuechler at gmail dot com> wrote:
> > -----Original Message-----
> > From: Curt Shaffer [mailto:cshaffer at gmail dot com]
> > Sent: Thursday, August 19, 2004 6:00 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] Radius Authentication
> > I had a quick question for anyone out there running a windows network behind
> > m0n0. I have a multi site ipsec VPN set up and it is working great! The DC's
> > are talking happily, the SQL is replicating happily, and DFS is working like
> > a dream. Now I have the need to let some people in from home to run an
> > application. Some are on dial up, some on cable,dsl etc. All different OSes
> > from 98 to Macintosh. I only have 10 people that need in, so I want to keep
> > it as administratively simple as possible (Mostly meaning that I don't want
> > to have to put m0n0's at everyone's homes). So I was going to have them log
> > in with PPTP to the m0n0's. I don't want them to use the same UN's and
> > passwords as they do in the office, but I don't want them to have to re
> > authenticate to access drives and such. My question is: If I have the PPTP
> > from the m0n0 authenticate against the Radius on the servers, are those
> > users considered authenticated users in the eyes of windows so that I can
> > set the permissions on files/folders with the authenticated users group so
> > they will not have to authenticate again?
> > Thanks for all of your help
> You can set up the PPTP VPN to authenticate off of RADIUS on one of
> your DC's. I'm using this setup in a couple different network
> environments and it works great. But to answer your question,
> authenticating via RADIUS on the VPN connection is not going to
> authenticate them to the domain to access network resources. The
> RADIUS auth is simply to establish the VPN connection. From there,
> the user would have to authenticate against the DC again to access
> network resources.
> As a previous poster suggested, Citrix is a great way to go, though
> it'll cost you a bit. Terminal Services isn't as nice, but will get
> the job done. It also isn't exactly cheap. I generally set up most
> clients on Citrix that want a full featured remote access environment.
> That will work, for the most part, equally well no matter your
> connection speed. Depending on the application, it might not be
> feasible to run it over VPN on dial up, or even on broadband.
> Also keep in mind remote users connecting into your network via PPTP
> have TCP/IP access to your network, so that could be a gateway into
> your network for worms and viruses. With the way Citrix works, it is
> far less likely that it could bring that junk in.