[Vpn-help] FW: Connection before domain login

[gregmail at outtacyte.com]

Sounds like the perfect time to steal share from Cisco.  The EasyVPN doesn't
do it either.

 

>From what I gathered by reading from some Vista SDK documentation the
Credential Provider acquires the credentials from the user @ Logon.  

 

>From there, I gather that the credential provider could then establish the
vpn connection (Mine is straight PSK) and then any XAuth would be the
credential given by the user.

 

This would allow the tunnel to be set up and then the CP could pass the
credential to WinLogon finishing the logon.

 

OK.  I don't really need XAuth in my situation, just a tunnel.  Would it be
possible to have a service start when the system starts and set up the
tunnel before the logon was even attempted?

 

If that would be possible, then I can see pretty easily (I think) how the CP
could then interact with the service to wake it up and have it do it's
thing.

 

humm...  

 

Since I know we can set up the tunnel using the command-line tool, couldn't
I just wrap a service around that?

 

-greg

 

  _____  

From: Evan Kinney [mailto:Evan.Kinney at sas.com] 
Sent: Friday, December 11, 2009 12:09 AM
To: gregmail at outtacyte.com; vpn-help at lists.shrew.net
Subject: RE: [Vpn-help] FW: Connection before domain login

 

This is actually a whole lot more complicated than it sounds.

 

What you're referring to used to be called GINA, and was pretty easy to
implement due to XP's extremely lax security model. The Cisco client is
using GINA to provide that dialog before login. Microsoft essentially
removed GINA support in Vista when they redesigned winlogon, but introduced
a new model that uses new components, referred to as Credential Providers.
Windows 7 also added the Windows Biometric Framework, which, in the future,
will be extensible to devices other than biometric ones.

 

So, short answer: as far as I know, Matthew hasn't done anything with CPs in
Access Manager. You won't be able to do what you're asking until this
changes.

 

---

Evan M. Kinney

Systems Administrator, Research and Development

SAS Institute Inc.

 

 

From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of
gregmail at outtacyte.com
Sent: Thursday, December 10, 2009 11:20 PM
To: vpn-help at lists.shrew.net
Subject: [Vpn-help] FW: Connection before domain login

 

Hi, this is my second attempt to get something in the mailing list.  I hope
this one works.

 

The Cisco Easy VPN has an option to allow a connection before the domain
login (welcome screen) and I need a similar function.

 

For my 32 bit platforms, I'm ok, but would prefer to use the Access Manager
for them.  For my 64 bit platforms (win 7, 64 bit) I need to make it so
engineers can connect up, login, have their drives map, and otherwise
pretend that they are at the office.  I can do this with the Easy VPN.  I
suspect this can be done with the Access Manager using the command line
executable with appropriate parameters.  I just don't know how to make it
happen before the user logs in.

 

How can I do this with the Access Manager?

 

-greg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091211/0fe932f6/attachment-0002.html>