cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1665
Views
5
Helpful
4
Replies

acs 5.0 with VPN Authentication

muralee29477
Level 1
Level 1

Hi

Would appreciate if somebody could guide me how to configure the ACS5.0 radius for remote access VPN authentication.

And how could I implement the IP Pools for the VPN users.

Best regards

Muralee

1 Accepted Solution

Accepted Solutions

Hi

IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.

on ACS:

access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition> 
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.


so it will be>

access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access

you can follow the below link for common scenarios:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/common_scenarios.html#wp1152364

Regards

Minakshi

Do rate the helpful posts

View solution in original post

4 Replies 4

minkumar
Level 1
Level 1

Hi Muralee,

   In case you are trying to configure vpn authentication for the ip pool management , Then i would say its not a good idea. Because:

In ACS 5.x IP Pool management is not supported. 

While RADIUS servers nearly always did this in the early dial up days, today DHCP is commonly used. For ACS 5, a decision was made to drop IP
Pool management, and recommend that customers use DHCP.

However if you want to configure vpn authentication :
from ACS perspective, all you need to do is following:

access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.


so it will be>

access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access

Let me know if it helps:

On the ASA does the following:
aaa-server ACS_5.0 protocol radius
 reactivation-mode depletion deadtime 20
 max-failed-attempts 5
aaa-server ACS_5.0 host x.x.x.x
 key x.x.x.x
 authentication-port 1812
 accounting-port 1813

tunnel-group ACS_5.0 type ipsec-ra
tunnel-group ACS_5.0 general-attributes
  authentication-server-group ACS_5.0
 default-group-policy ACS_5.0
tunnel-group ACS_5.0 ipsec-attributes
 pre-shared-key *

Try the test authentication and let me know if it helps

Hi Minkumar

Tks for the reply

Would appreciate if you could be more descriptive on the ACS configuration as this is the first time I configuring it.

Also how could I do the IP address assignment for the  VPN users please include in the configuration

Hi

IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.

on ACS:

access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition> 
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.


so it will be>

access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access

you can follow the below link for common scenarios:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/common_scenarios.html#wp1152364

Regards

Minakshi

Do rate the helpful posts

Hi

Tks for the support

I was able to do it with Static IP Address assignment

Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: