cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1218
Views
0
Helpful
7
Replies

Remote Access VPN authentication through RADIUS

somnath21
Level 1
Level 1

Hi,

I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.

Server configuration:

1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).

2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.

3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.

4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.

On the Dial-in tab, select the option for Allow access

ASA configuration:

aaa-server vpn protocol radius

aaa-server vpn host 10.155.20.25 (RADIUS server IP )

key cisco321

tunnel-group vpnacc type ipsec-ra

tunnel-group vpnacc general-attributes

authentication-server-group vpn

but it is not working. Please guide to resolve this issue.

Regards,

som

7 Replies 7

Hi,

Did you add the asa to the list of nas in RADIUS server?

Massimiliano.

how to add that one...plz guide..

regards,

som

Hi,

Are you using a Cisco Secure ACS for your radius authentication?

Craig

I m using Windows 2003...

I assume by your answer of Windows 2003 that you are using the ISA server for Radius authentication then?

Craig

You dont say which version of ASA code you are running, but I dont see your specification of interface on your aaa statement. Wouldnt it look something like:

aaa-server vpn (INSIDE) host x.x.x.x key xxxxxxx?

That is how mine look on 8.0(4)

Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"

Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: