Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

acs 5.0 with VPN Authentication

Hi

Would appreciate if somebody could guide me how to configure the ACS5.0 radius for remote access VPN authentication.

And how could I implement the IP Pools for the VPN users.

Best regards

Muralee

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

acs 5.0 with VPN Authentication

Hi

IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.

on ACS:

access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition> 
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.


so it will be>

access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access

you can follow the below link for common scenarios:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/common_scenarios.html#wp1152364

Regards

Minakshi

Do rate the helpful posts

4 REPLIES
Silver

acs 5.0 with VPN Authentication

Hi Muralee,

   In case you are trying to configure vpn authentication for the ip pool management , Then i would say its not a good idea. Because:

In ACS 5.x IP Pool management is not supported. 

While RADIUS servers nearly always did this in the early dial up days, today DHCP is commonly used. For ACS 5, a decision was made to drop IP
Pool management, and recommend that customers use DHCP.

However if you want to configure vpn authentication :
from ACS perspective, all you need to do is following:

access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.


so it will be>

access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access

Let me know if it helps:

On the ASA does the following:
aaa-server ACS_5.0 protocol radius
 reactivation-mode depletion deadtime 20
 max-failed-attempts 5
aaa-server ACS_5.0 host x.x.x.x
 key x.x.x.x
 authentication-port 1812
 accounting-port 1813

tunnel-group ACS_5.0 type ipsec-ra
tunnel-group ACS_5.0 general-attributes
  authentication-server-group ACS_5.0
 default-group-policy ACS_5.0
tunnel-group ACS_5.0 ipsec-attributes
 pre-shared-key *

Try the test authentication and let me know if it helps
New Member

acs 5.0 with VPN Authentication

Hi Minkumar

Tks for the reply

Would appreciate if you could be more descriptive on the ACS configuration as this is the first time I configuring it.

Also how could I do the IP address assignment for the  VPN users please include in the configuration

Silver

acs 5.0 with VPN Authentication

Hi

IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.

on ACS:

access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition> 
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.


so it will be>

access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access

you can follow the below link for common scenarios:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/common_scenarios.html#wp1152364

Regards

Minakshi

Do rate the helpful posts

New Member

acs 5.0 with VPN Authentication

Hi

Tks for the support

I was able to do it with Static IP Address assignment

Thanks again.

1123
Views
5
Helpful
4
Replies
CreatePlease login to create content