shifty
Guest
|
 Posted:
Wed Dec 07, 2005 9:21 am Post subject:
Windows 2000 + PIX + AD - changing passwords? |
|
|
I have a unique problem in that there's nothing in Usenet about it I
can locate :)
I have a PIX 515 with 6.3(4) FW. I've an Active Directory based
network on the inside. It is the single firewall on my network and the
gateway for all clients.
The PIX is setup for PPTP VPN, authenticating all AD users with dial-in
permissions enabled using RADIUS and then dropping them inside the VPN
to work internally.
All current AD accounts and passwords are able to authenticate on the
VPN and route to workstations inside the network fine; however, if the
user changes their AD password, they can still authenticate properly
PPTP VPN, but they can't get any packets into the network. It seems
they're being redirected or dropped somewhere.
With login before or after password change, the routing tables on the
VPN client are the same (no change). All routing tables given are
correct in both cases, so packets should be getting through in both
situations. It is almost as if passwords or routes are being cached
somewhere and the missing/dropped packet problem persists between
reloads and reboots of the domain controller and the PIX.
I've done everything shy of setup Ethereal in a few places to track
packets. I setup console debugging on the PIX and notice that packets
with the original password show up in the PIX console, but when the AD
password is changed and the user logs on with the new password, and I
don't seem to see the packets in the console.
I'm stumped. Has anyone EVER seen anything like this before? It makes
no sense to me. Is it possible that Routing and Remote Access or
something else could be causing this problem? With all routes intact,
the client knows where to send the packets to, they are apparently just
being dumped or something.
Any help greatly appreciated. |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in