First it is Internet Authentication Service (IAS) not Microsoft Internet
Security and Acceleration Server (ISA Server)

Microsoft Internet Security and Acceleration Server (ISA Server) is
described by Microsoft as an "integrated edge security gateway". Basically
ISA is a firewall, Internet Access control, and Internet Content control
Server that 'grew' out of the old MS Proxy Server.

The Internet Authentication Service (IAS), an implementation of RADIUS
server. IAS supports authentication for Windows-based clients, as well as
for third-party clients that adhere to the RADIUS standard. IAS stores its
authentication information in Active Directory, and can be managed with
Remote Access Policies. In Windows Server 2008, Network Policy Server (NPS)
replaces the Internet Authentication Service (IAS).

It really depends on where the VPN Client terminates.

1. If you are using the Cisco VPN client then I would set up the ASA to use
Radius (MS IAS) to authenticate the VPN users. This gives you 2 token auth
as the client software authenticates to the HW with a group name and
certificate or fixed key. This auth data can be distributed periodically in
a pre-encrypted file by emailing a self-extracting PW protected file to the
VPN users with simple instructions how and when to import it into the client
2. The second auth token occurs as soon as the software connects the ASA
will query the client for the User name and PW of the VPN User (Human) and
pass that info to the IAS Radius) Server which will verify it against AD.
You create a security group and control group membership and permissions to
control VPN Access. Using radius if you have someone removed from VPN Access
you simply remove them from the VPN Security Group and they lose access
immediately. This way you don't have to figure out how to retrieve the
client software to stop their access. This user name/pw transaction is via
an encrypted tunnel between the user's PC (Client SW) and the ASA so it
doesn't matter if the end user's transmission is intercepted. The other
Bennie is that the End user only has to remember his/her network user name
and pw. One drawback to Radius is that the 'discussion' between ASA and IAS
is NOT encrypted but in its defense it occurs behind the FW within your own

If the VPN terminates on you ISA Server then the same basic process occurs
between it and the AD. The biggest diff is the ISA Server queries AD direct.
VPN User management is generally the same within AD

-----Original Message-----
[] On Behalf Of Brian
Sent: Monday, March 17, 2008 5:05 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] ASA authentication via MS ISA vs. MS AD

Does anyone here have an opinion on whether it is better to
authenticate VPN users with ISA or AD via an ASA? What do you see as
the pros and cons?

Has anyone here configured it for AD? If so, by what means did you
limit access to VPN for specific users?
firewall-wizards mailing list

firewall-wizards mailing list