Recent content by GeorgeOu

You're right ADB100. You only need a Machine Cert on the RADIUS server that is trusted by the clients. You can either post the certificate containing the public key of the RADIUS server with no risk, or you can push it out through Active Directory group policy by including it in the "Trusted...

Political reasons? You mean they don't trust Microsoft? Funny that they're running ACS on top of Microsoft windows if that's the case. Let me tell you something about IAS and ACS. IAS has been running for years for without any problems and I can't remember the last time there was a remote...

Ktripp, There is no 50 user barrier. It's 50 Access Points I think. You can support as many users as your Active Directory will handle. It's a straight pass through to active directory. Linux will work with the generic PEAP (PEAP-EAP-MSCHAPv2) or EAP-TLS implementation. It will not work...

Ktripp, See this article first: http://www.lanarchitect.net/Articles/Wireless/SecurityRating/index.htm This is also a must read: http://blogs.zdnet.com/Ou/?p=67 ACS is horribly unstable and buggy. Use IAS on Windows 2003 w/SP1. Your domain controller should be Win2003 SP1 too, but other...

FWIOS is much more powerful. Here are a list of things of the top of my head that FWIOS can do that PIX cannot. * Policy based routing * BGP (for advanced failover routing) * ISDN and T1 termination * QoS outside and inside an IPSEC tunnel (if you want to transmit things like VoIP and Video)...

Yes you can use TAC. What has always impressed me about Cisco support is that they'll bend over backwards to support these odd types of problems for a $75/year support license. We use to pay Nokia and CheckPoint $13K a year and they won't even give telephone support without upgrading the...

For this kind of stuff, I'd get my self a support contract with Cisco. Since you're talking about the PIX501, a support contract should be around $100 a year. Believe me, I've gotten more than my money's worth in Cisco support for these kinds of problems. The support from Cisco on devices...

No, I only know Win2k, Win2003, ISA2004, NetScreen, Nortel, CheckPoint, PIX, Cisco Firewall IOS. As far as I'm concerned, IPSEC is IPSEC. Just make sure you're comfortable with what ever platform you choose. I was going to try out the IPCOP ISO, but it's all just another derivative of...

1. ICS will not work with RRAS, but RRAS has it's own "basic firewall" which works fine. You can use it to limit inbound ESP, GRE, UDP 4500, UDP 500, and PPTP (gotta look that up). 2. Windows 2003 has NAT-T capability for IPSEC and it has better security for PPTP and L2TP, not to mention the...

If you already have a Windows 2000 server you can use, upgrade it to 2003 and use it's RRAS service. Otherwise, buy something like a cheap PIX501 or NetScreen 5GT or a Fortinet box for around $550. You need the firewall to protect your network anyways. The NetScreen and Fortinet boxes also...

EAP-TLS can be implemented automatically via Active Directory group policy for Windows XP SP1 (with WPA patch). Note that if you want to go as far as automating "user certificates" (not machine certificates), you will need to purchase Windows 2003 Enterprise edition to run the Certificate...

EAP-FAST as far as I know works with the Cisco ACU client and the latest version of Cisco's ACS RADIUS server both of which you can update for free. I'm not sure about the Win2k SP4 business. As far as I'm concerned, you're wasting your time if you're not running XP SP1 with WPA patch or SP2...

These 2 articles are a must read for anyone running Cisco LEAP or considering EAP-FAST. No one else has anything significant on Cisco's new EAP-FAST protocol yet. EAP-FAST: The LEAP and PEAP killer? Is Cisco's new EAP-FAST protocol really "as easy as LEAP" and "as secure as PEAP"? See for...

Thanks. The licensing is one of those things that annoy me about the PIX. I've got about 30 of those things deployed in the field (cus they were cheap) and the licensing restrictions cause problems when a user start testing multiple systems on it and run out of licenses. What seems to happen...

The PIX sure doesn't. I love it's performance and the fact that the entire PIX OS fits on well under 16 MBs of flash. The PIX is rock solid and it is lean mean and super fast with it's per interface policy engine and turbo ACLs. One thing I will say is that they really gotta fix the UI on...