Captain Colonoscopy
2[H]4U
- Joined
- Feb 19, 2004
- Messages
- 3,861
First, a little backstory . . . . I am in the process of moving our entire office over to a server 2008 only AD domain. We previously had two 2003 DCs. These were demoted and removed from the domain after bringing on a transitional 2008 server to be the DC while I wiped the "old" servers and installed 2008 on them. Now that is finished and we have two 2008 server DCs. Since doing this our VPN authentication on our ASA quit working. We use the "NT Domain" option for AAA. I went in and changed all the AAA server settings on the ASA over to the new servers and the authentication still wouldn't work. I started doing the authentication tests on the ASA and they all fail saying they can't find the authentication servers. The firewall CAN ping the DCs so there aren't any problems there. I went through the ASA config for every single trace of the old servers and replaced those IPs/hostnames with the new servers. I even went so far as to completely remove all the old AAA setup and re-create new AAA groups. I still cannot get the authentication to work at all. I disabled the windows firewalls on the servers just to make sure and still I get no authentication.
In the past you simply put in the name and IP address of a windows DC and then it authenticated and it just worked. For the life of me I cannot get this working with 2008 server. I have never had a problem with 2000/2003 doing this type of authentication for a Cisco PIX or ASA firewall.
This leads me to think that perhaps Server 2008 does not support "NT Domain" authentication? Perhaps you have to install some special "role" or "feature" to get this working? I have been all over the googler and Microsoft and Cisco's sites. I am have come to the conclusion that I am either severely inept at using search engines or I am the first person to bitch about this . . . Has anyone here run into this yet? Am I really going to need to setup IAS/RADIUS on a server to get the VPN authentication working again? We have a ton of clients that use Cisco VPN authenticated against AD and I want to get this all sorted out before my boss sells someone a new box with 2008 on it....
In the past you simply put in the name and IP address of a windows DC and then it authenticated and it just worked. For the life of me I cannot get this working with 2008 server. I have never had a problem with 2000/2003 doing this type of authentication for a Cisco PIX or ASA firewall.
This leads me to think that perhaps Server 2008 does not support "NT Domain" authentication? Perhaps you have to install some special "role" or "feature" to get this working? I have been all over the googler and Microsoft and Cisco's sites. I am have come to the conclusion that I am either severely inept at using search engines or I am the first person to bitch about this . . . Has anyone here run into this yet? Am I really going to need to setup IAS/RADIUS on a server to get the VPN authentication working again? We have a ton of clients that use Cisco VPN authenticated against AD and I want to get this all sorted out before my boss sells someone a new box with 2008 on it....