03-20-2012 05:51 AM - edited 03-10-2019 06:55 PM
Hi
Would appreciate if somebody could guide me how to configure the ACS5.0 radius for remote access VPN authentication.
And how could I implement the IP Pools for the VPN users.
Best regards
Muralee
Solved! Go to Solution.
03-21-2012 06:43 AM
Hi
IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.
on ACS:
access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.
so it will be>
access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access
you can follow the below link for common scenarios:
Regards
Minakshi
Do rate the helpful posts
03-20-2012 06:12 AM
Hi Muralee,
In case you are trying to configure vpn authentication for the ip pool management , Then i would say its not a good idea. Because:
In ACS 5.x IP Pool management is not supported. While RADIUS servers nearly always did this in the early dial up days, today DHCP is commonly used. For ACS 5, a decision was made to drop IP Pool management, and recommend that customers use DHCP.
However if you want to configure vpn authentication :
from ACS perspective, all you need to do is following:
access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.
so it will be>
access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access
Let me know if it helps:
On the ASA does the following:aaa-server ACS_5.0 protocol radius reactivation-mode depletion deadtime 20 max-failed-attempts 5 aaa-server ACS_5.0 host x.x.x.x key x.x.x.x authentication-port 1812 accounting-port 1813 tunnel-group ACS_5.0 type ipsec-ra tunnel-group ACS_5.0 general-attributes authentication-server-group ACS_5.0 default-group-policy ACS_5.0 tunnel-group ACS_5.0 ipsec-attributes pre-shared-key *
Try the test authentication and let me know if it helps
03-20-2012 09:54 PM
Hi Minkumar
Tks for the reply
Would appreciate if you could be more descriptive on the ACS configuration as this is the first time I configuring it.
Also how could I do the IP address assignment for the VPN users please include in the configuration
03-21-2012 06:43 AM
Hi
IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.
on ACS:
access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.
so it will be>
access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access
you can follow the below link for common scenarios:
Regards
Minakshi
Do rate the helpful posts
03-23-2012 10:27 PM
Hi
Tks for the support
I was able to do it with Static IP Address assignment
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: