Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
4
Helpful
5
Replies

Remote Access- ASA

Amin Shaikh
Level 1
Level 1

‎08-21-2008 12:44 PM - edited ‎03-11-2019 06:34 AM

Hi,

Moving from VPN Concentrator to ASA for Remote Access.

I tested the following configuration but no luck, user accounts are created on ACS and cannot get authenticated.... I am missing something still....

==========Remote-Access-Config=======

ip local pool JK 192.168.10.1-192.168.10.150 mask 255.255.255.0

group-policy PAK-TEL internal

group-policy PAK-TEL attributes

wins-server value 192.168.1.100

dns-server value 192.168.1.100

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group PAK-TEL type ipsec-ra

tunnel-group PAK-TEL general-attributes

address-pool JK

default-group-policy PAK-TEL

tunnel-group PAK-TEL ipsec-attributes

pre-shared-key *

telnet timeout 1440

Labels:
0 Helpful
5 Replies 5

acomiskey
Level 10
Level 10

‎08-21-2008 01:06 PM

Do you have something like?

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

0 Helpful

Amin Shaikh
Level 1
Level 1
In response to acomiskey

‎08-21-2008 02:20 PM

Yes, I have this...

when I have local-user on ASA ; it works.

But how could the traffic forward to ACS Server...

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to Amin Shaikh

‎08-21-2008 02:36 PM

Are you sure, you have something like this on configuration,

aaa-server RADIUS-SERVER protocol radius

aaa-server RADIUS-SERVER () host

tunnel-group PAK-TEL general-attributes

authentication-server-group RADIUS-SERVER

Assuming that you are using Radius protocol for authentication and ACS is configured accordingly.

Try to use following test command to ensure that authentication is working against the ACS server,

test aaa-server authentication host

e.g.,

test aaa-server authentication RADIUS host 1.2.3.4

Regards,

Prem

0 Helpful

Amin Shaikh
Level 1
Level 1
In response to Premdeep Banga

‎08-22-2008 01:02 AM

Thanks.

I dont see any failed/passed info under Reports-logging on ACS..

On ACS the following is done

ASA added under AAA client with shared key

Radius authentication

rename group5 on ACS as PAK-TEL

No Luck so far...

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to Amin Shaikh

‎08-22-2008 04:56 AM

Renaming Group to PAK-TEL is not required, its only for your management comfort only.

One question, are you able to authentication using the current ACS against any other device ? Or is ASA is the only one that you are trying to authenticate. Could be that ACS is not configured properly, by that I mean "Proxy Distribution Table" is not configured properly.

If this is the first time you are trying to authenticate on ACS, then please enable Passed Reports as it is disabled by default.

The very first thing that should be successful, in order to get VPN users authenticated is, to ensure that the "test aaa...." command is successful from the ASA, if that does not succeed, then no point in testing using VPN client.

Make sure that nothing is blocking the Radius traffic in between i.e b/w ASA and ACS.

What is the result of the test command, is it,

"ERROR: Authentication Server not responding: No error" ?

Or something else ?

Regards,

Prem

Please rate if it helps!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card