03-10-2007 01:25 AM - edited 03-10-2019 03:02 PM
hi , i am using a pix 7.2 and acs 3.2.. i want to perform remote access vpn authentication n authorization thrgh aaa using radius..i am abl to use it when i am using local group policy on pix, but i am nt able to do it using acs. i was trying to use cisco avpair to send the parameters but its nt happening.some body please tell me the steps to proceed .
03-10-2007 05:48 AM
Hi,
What attributes are you trying to push ?
does the aaa server get any hits when trying to authenticate ?
Regards,
Vivek
03-10-2007 05:52 AM
hi vivek, i am successfully able to authenticate thrgh acs, and clients are also geting the ip address from the acs ip pool defined.. the problem is i was trying to push mode cfg attributes like ipsec:firewall=0, ipsec:pfs=1 etc.. thrgh cisco avpair radius attributes..but its nt happening
03-10-2007 05:56 AM
Hi,
Can you put in your config here ?
Regards,
Vivek
03-10-2007 06:03 AM
hi below is the desired config related to aaa on pix..
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.10.10
key xxxxxx
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
authentication-server-group Radius
authentication-server-group (inside) Radius
authorization-server-group Radius
tunnel-group ciscovpn ipsec-attributes
pre-shared-key *
03-10-2007 06:37 AM
Hi,
Since you haven't given any group-policy config, I am assuming you haven't configured any external group policy on the ASA.
See the following link :-
Once you have configured an external group on PIX, you can push required attributes from the ACS.
HTH.
Regards,
Vivek
03-10-2007 06:46 AM
hi vivek , i had also tried that i had made one external group with name guest_group and a password of guest.. i mapped it into my tunnel-group. now in acs vpn users belong to guest_group only, in that i defined these cisco av pair attributes:
vpngroup Password = "guest", Service-Type = Outbound
ipsec:firewall=1
ipsec:include-local-lan=1
03-10-2007 07:04 AM
Hi,
You would need to push attributes like client firewall, Split Tunneling Policy etc using attributes available under the RADIUS (VPN 3000/asa/pix 7.x+)
You can find all attributes under Interface configuration->RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)
So instead of using cisco av-pair (026/009/001) you need to use pre defined attributes like 026/3076/001.
Regards,
Vivek
03-10-2007 07:06 AM
yeah thanks , for ur reply i found in the guide that for older versions of acs other than 4.0 , we have to push vpn conc attributes.. this is not applied for acs 4.0..
03-12-2007 12:12 AM
I am facing almost the same problem.
I need to authenticate my remote clients to ASA through ACS.
remote vpn is working fine using the local username, but authentication through ACS is not working with me.
I have added my asa as an aaa client in the ACS.
and my configs in the asa :
aaa-server vpn protocol tacacs+
aaa-server vpn host x.x.x.x
key ****
tunnel-group RemoteTunnel general-attributes
authentication-server-group (inside) Radius
authorization-server-group Radius
any dieas?
03-12-2007 01:25 AM
hi u have to attach external group policy to the tunnel group for doing the external acs authentication .. and the grp name shld be the username on the acs , bcz acs sees it as a username being to be the authenticated...
03-12-2007 01:34 AM
can you send an example?
03-12-2007 06:10 AM
Hi,
External authentication does not require an external group. External group is required when you want to push group policies from the Radius Server.
We can have an internal group forward auth request to the Radius server.
You need to change your config as follows :-
aaa-server vpn protocol radius
aaa-server vpn host x.x.x.x
tunnel-group RemoteTunnel general-attributes
authentication-server-group vpn
Make sure that you have added the ASA as a aaa client in ACS and set it to authenticate using RADIUS.
HTH
Regards,
Vivek
03-12-2007 09:16 PM
yeah he is right,,,for external authentication we need only to attach aaa server to the tunnel group..if we want to push some attributes to the client then we need to to do the above.. srry i thght that u want to have authorization also..
03-16-2007 07:59 AM
Please go on about the authorization on the pix. I have a group ACS group DEB that I mapped to an NT group DEB. I can authenticate to a pix using through VPN, if I am assigned that NT group, but I can also authenticate if I am not part of the DEB group using the same DEB.pcf. I was hoping that the group mapping would be my solution, but that is not the case.
Elaborate a tad on the authorization setup on a pix please.
Thank you
Dwane
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: