cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
0
Helpful
3
Replies

ASA5505 and Microsoft RADIUS

ofir
Level 1
Level 1

I currently have ASA5505 VPN clients authenticating via local database (which I see as a simple typo machine :)

I'm required to make users change their pwd to comply with complexity and min length, which to my understanding cannot be done directly on ASA

I've setup an IAS which uses RADIUS Standard for the ASA5505 client

now I have 2 groups of users using the same tunnel with the local database:

users who are also domain users -> for those users I assume IAS will solve the problem synching with AD

users who are NOT domain users -> how to apply those rules on these users???

how should I configure the aaa server on ASA and what should I change on the tunnel group in order to make all of this work?

1 Accepted Solution

Accepted Solutions

Ivan Martinon
Level 7
Level 7

Your AAA server should be a radius type with of course the correct settings, key ip and so on. After this change has been done, you need to go into the tunnel group mode (general attributes) and call your AAA server for authentication: authentication-server group LOCAL

Local will be there only for fallback.

After this change is done, and your IAS connects to the AD correctly you should be able to authenticate. NOTE doing this change on the config, will force all users to have a valid username on the IAS/AD schema, local database will only be used when radius fails.

Now, to define the ability to change the password via the vpn clients, you will need to go ahead and enable "ms-chap v2" under the tunnel-group PPP attributes and at the moment this is done, the Domain field will be displayed on the XAUTH prompt of the vpn client. As well the keyword "password-management" has to be enabled under the general-attributes.

View solution in original post

3 Replies 3

Ivan Martinon
Level 7
Level 7

Your AAA server should be a radius type with of course the correct settings, key ip and so on. After this change has been done, you need to go into the tunnel group mode (general attributes) and call your AAA server for authentication: authentication-server group LOCAL

Local will be there only for fallback.

After this change is done, and your IAS connects to the AD correctly you should be able to authenticate. NOTE doing this change on the config, will force all users to have a valid username on the IAS/AD schema, local database will only be used when radius fails.

Now, to define the ability to change the password via the vpn clients, you will need to go ahead and enable "ms-chap v2" under the tunnel-group PPP attributes and at the moment this is done, the Domain field will be displayed on the XAUTH prompt of the vpn client. As well the keyword "password-management" has to be enabled under the general-attributes.

thanks.

one follow up question - under these setting is there any way I can have non AD users other then creating a dedicated vpn tunnel that would use the LOCAL db?

and if I do so, can I force them to change pwds every X time (without the complexity but at least changing it)?

You can do it by configuring a second tunnel group where local auth is used. You cannot set password change on local DB

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: