l2tp ipsec preshared keys AND certificates

[GMG]

Hi,

I have a scenario for l2tp ipsec vpns whereby the server will sit
behind a Cisco pix with an arm into it and an arm into my intranet.

I want to know whether it is possible to have clients authenticate
with the pix using a preshared key and then using certificates and
windows credentials, authenticate against the rras server/radius
server before gaining access to the LAN.

Security is paramount for me and I'm sure it can be done. Just need
some help as to how to do it. Do you think that it can be done and is
this the best MSFT way to implement a remote access solution.

At this stage smart cards and/or tokens aren't an option.

Thanks for reading and responding.

Gavin

 

[Bill Grant]

Does the Cisco offer RADIUS support? If it does, you don't really need
RRAS on the server at all. You simply configure your Windows server as an
IAS server. This makes it a RADIUS server. You set up your authentication on
this server, then configure the Cisco to use this machine as its RADIUS
server. The clients connect to the Cisco, but are authenticated by the IAS
server.

 

[GMG]

Thanks Bill.

I don't want it to be an either or scenario as I'd prefer to use
certificates over keys. They are harder to crack.

The Pix could probably handle IAS. If I use IAS I assume that this is
only going to authenticate credentials but not certificates?

G

 

[Bill Grant]

Why would you assume that? The normal operation of L2tp/IPSec in Windows
is to use certificates. Shared keys are frowned on.