ASA5505 and Microsoft RADIUS

Answered Question

I currently have ASA5505 VPN clients authenticating via local database (which I see as a simple typo machine :)

I'm required to make users change their pwd to comply with complexity and min length, which to my understanding cannot be done directly on ASA

I've setup an IAS which uses RADIUS Standard for the ASA5505 client

now I have 2 groups of users using the same tunnel with the local database:

users who are also domain users -> for those users I assume IAS will solve the problem synching with AD

users who are NOT domain users -> how to apply those rules on these users???

how should I configure the aaa server on ASA and what should I change on the tunnel group in order to make all of this work?

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 9 months ago

Your AAA server should be a radius type with of course the correct settings, key ip and so on. After this change has been done, you need to go into the tunnel group mode (general attributes) and call your AAA server for authentication: authentication-server group LOCAL

Local will be there only for fallback.

After this change is done, and your IAS connects to the AD correctly you should be able to authenticate. NOTE doing this change on the config, will force all users to have a valid username on the IAS/AD schema, local database will only be used when radius fails.

Now, to define the ability to change the password via the vpn clients, you will need to go ahead and enable "ms-chap v2" under the tunnel-group PPP attributes and at the moment this is done, the Domain field will be displayed on the XAUTH prompt of the vpn client. As well the keyword "password-management" has to be enabled under the general-attributes.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Thu, 02/26/2009 - 08:59

Your AAA server should be a radius type with of course the correct settings, key ip and so on. After this change has been done, you need to go into the tunnel group mode (general attributes) and call your AAA server for authentication: authentication-server group LOCAL

Local will be there only for fallback.

After this change is done, and your IAS connects to the AD correctly you should be able to authenticate. NOTE doing this change on the config, will force all users to have a valid username on the IAS/AD schema, local database will only be used when radius fails.

Now, to define the ability to change the password via the vpn clients, you will need to go ahead and enable "ms-chap v2" under the tunnel-group PPP attributes and at the moment this is done, the Domain field will be displayed on the XAUTH prompt of the vpn client. As well the keyword "password-management" has to be enabled under the general-attributes.

Ivan Martinon Thu, 02/26/2009 - 09:14

You can do it by configuring a second tunnel group where local auth is used. You cannot set password change on local DB

Actions

This Discussion