Dial up, how to authenticate to workplace corp network ?

Hi,

I have configured a Cisco AS5350 with a PRI to take incoming PPP, CHAP
calls and authenticate those calls on an Interlink Radius server.

I can dial into the network my office network and ping everything,
telnet etc.

However I would like for users to be able to dial in and get their
windows machines be
on the windows network.

I have tried entering a domain name of the workplace domain when I dial
in and my
worlplace user and password but it does work.

Can somebody point me in the right direction please ? I am stuck, I
have been looking
in the forums but cannot see anything ?

Thanks in advance

D

When i dial it says Error 691: Access was denied because the username
and /or password was invalid on the domain.

(The cisco access server is passing a dns server and an nbns server
when I dial)

Do I have to do something with the active directory server like allow
my account to be dial in ?

The username you specify to make a connection is only used to verify
that you are permitted to connect. Even if you were authenticating to the
Windows server, this username is only used to authenticate the connection.

The credentials used when you try to access resources on the LAN are the
credentials from the original logon to the client machine. If the client did
a local login, then those are the credentials used.

(E-Mail Removed) wrote:
> Hi,
>
> I have configured a Cisco AS5350 with a PRI to take incoming PPP, CHAP
> calls and authenticate those calls on an Interlink Radius server.
>
> I can dial into the network my office network and ping everything,
> telnet etc.
>
> However I would like for users to be able to dial in and get their
> windows machines be
> on the windows network.
>
> I have tried entering a domain name of the workplace domain when I
> dial in and my
> worlplace user and password but it does work.
>
> Can somebody point me in the right direction please ? I am stuck, I
> have been looking
> in the forums but cannot see anything ?
>
> Thanks in advance
>
> D

In news:(E-Mail Removed) oups.com,
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
> Do I have to do something with the active directory server like allow
> my account to be dial in ?

If the Cisco device is authenticating to an Interlink RADIUS server, who is
that authenticating against? Active DIrectory or is that forwarding to an
IAS server that is authenticating against AD?

Is there a route or some sort of relationship created between the dialup/PPP
subnet to the internal subnet?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations

"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.

Hi,

the username and password is created in the Interlink Radius server and
the Cisco authenticates from there.
An ip address is given out from a pool on the as5350.

When I log in I can ping everything on the corporate network but I want
to be able to map drives and all that
good stuff.

Not quite sure what to do here.

I created the username and password in radius the same as I use to
login to the windows network domain.

I try logging out of the windows domain and clicking on 'dialup' and
entering my username and password and
domain name, then when I dial it kicks me out with non existant on this
domain.

Do I need to talk to our active directory people ?

You are trying to kill two birds with one stone. Authenticating a VPN
connection is one thing. Valid credentials to access domain resources is
another.

Even if you manage to force the remote access server to authenticate
against AD via RADIUS, you still have not done a domain login. You have
simply authenticated the VPN connection.

The "login using a dialup connection" option is a Windows option. I
doubt that the Cisco will be able to handle it. I think you would need to be
connecting directly to the RRAS server for that to work.

(E-Mail Removed) wrote:
> I created the username and password in radius the same as I use to
> login to the windows network domain.
>
> I try logging out of the windows domain and clicking on 'dialup' and
> entering my username and password and
> domain name, then when I dial it kicks me out with non existant on
> this domain.
>
> Do I need to talk to our active directory people ?

In news:(E-Mail Removed) oups.com,
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
> Hi,
>
> the username and password is created in the Interlink Radius server
> and the Cisco authenticates from there.
> An ip address is given out from a pool on the as5350.
>
> When I log in I can ping everything on the corporate network but I
> want to be able to map drives and all that
> good stuff.
>
> Not quite sure what to do here.

Follow what Bill said. Authenticating agains the Inerlink Radius server just
allows the connection. YOu need to login to the Windows AD DOmain before
anything else happens. If you are not an AD admin, you will need to talk to
the AD admins to assist you.

Ace

Hey guys, it's working. I didn't have to change anything.

I just logged clicked the dialup option when Iogged in and made sure
that I logged in with the same user and password
that I use to login to my machine at work with the same domain and it
automatically worked and logged me into the domain.

What steps should I take to make these remote connections more secure?