Hi,

I'm trying to set up remote access via Cisco VPN using IAS as a AAA server.
I want to try and minimise people entering credentials, so I want to use
certificates stored on smartcard tokens at the client. I can validate the
certificate at the VPN server and pass a RADIUS request to IAS. Where IAS
comes in is to verify that the username extracted from the certificate exists
in AD and is part of a group set up to authorize RAS access. So this would be
authorization rather than authentication (which occurred at the client end
when the token was inserted and unlocked).

What IAS is forcing me to do is authenticate the user against AD. Within the
connection profile the choices are to authenticate locally (which I dont
want) or "Accept users without validating credentials" which seems to bypass
the authorization step as well. When I look at the IAS logs the Policy
mapping is undetermined so it looks as though the remote access policies
which are where I've included the group membership checks are completed
ignored.

So how do I get IAS to validate a username without needing a password for
it? Do I need to start looking at EAP?

Regards