>From my experiences in deploying both pix and the 3000 series concentrators, the question of 'seamless' authentication or access to network resources once connected to the vpn is always an issue. To get around this I have seen various methods utilized, each of which has catches and possibly user's computers altered which throws a wrench into things if we're talking home users PC's etc. Argh. The first method, is what you have already mentioned which is to have the cisco client load before the windows login prompt and establish the vpn, and then use the regular domain username and password, which will provide full resource authentication based on the NT account rights. I have been successful with this method and have found it to work quite reliably. The other methods I have used is kind of clunky in my own opinion which is a) have the users authenticate to the vpn, then distribute a batch file login script with the 'user' switch in it, which when executed will prompt the user for a password once, and then cache the authenticaiton credentials for future resource requests or b) Create a matching profile on the local machine that matches the username/password created in the NT database which will allow the seamleass authentication affect. As you can see, a & b are not scalable and require more configuration of the user's machine and ability on the user's part. I apologize for the long winded reply, and I hope this sheds some light on the topic. I am interested to hear of anyone else's solutions to this problem. Utltimately I think with your specific case, seamless authentication is your only route (ie. using the client boot before startup method) as the domain event logs will not prompt you to authenticate, in which case cached credentials have to be used.
Cheers. Adam > I am using a PIX and VPN client 3.6 and getting in works just fine. Problem > is I want to connect to NT domain resources across the board after logging > into VPN. I know you can connect to network shares using alternate username > and password but for things like remote event logs on the domain, you don't > get prompted and will be denied. > > I am aware that you can have VPN connect before logging into Windows and > then log into the domain after VPN is connected but I don't want to alter > people's computers that are logging in locally. I would rather get access to > the domain after logging in locally and then the VPN. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66647&t=66618 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
