Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Doubt on RA vpn user aaa using ACS 5.3

Hi,

I am trying to set up RA VPN on ASA 8.4 with 2 groups - VPNGp1 and  VPNGp2. VPNGp1 users will access 1.2.3.0/24 and VPNGp2 users will access  5.6.7.0/24. User authentication will happen using ACS 5.3 Radius.

On ASA, I have configured the IP pools, VPN ACLs, VPN groups, group policies for each group, and tunnel groups.

On ACS, I have created vpn-user1 and vpn-user2 for each of 2 groups.

I am not sure if some more configuration needs to be done on ASA and  ACS... Do I need to add new users - vpn-user1 and vpn-user2 - on ASA,  under each corresponding group policy, using vpn-group-policy command?  Or I need to do something else on ACS?

Lastly, how can I configure authorization and accounting for the VPN users? Do I need to do this on ACS or on ASA?

Please advice.

Thanks.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Doubt on RA vpn user aaa using ACS 5.3

Hi,

The purpose of using radius authentication is to centralize the user accounts and policies so that you will not have to configure these on the ASA. You will need to create an authentication server group that points to your ACS, then you will have to reference this server-group to your tunnel-group so user authentication requests will be forwarded to ACS for authentication. For accounting you will create an accounting server group and also assign that to your tunnel group configuration.

On the ACS you will have to create a network device client which is the ASA, and the shared secret will have to be the same. You will create a network authorization policy element which will have any authorization parameters, or you can choose the Permit Access which allows authentication succeed without any special permissions.

You can debug the sessoin by using debug crypto vpnclient 255 to see the authentication flow.

Are you using SSL vpn (anyconnect) for these sessions?

Thanks

Tarik Admani

Tarik Admani *Please rate helpful posts*
8 REPLIES

Doubt on RA vpn user aaa using ACS 5.3

Hi,

The purpose of using radius authentication is to centralize the user accounts and policies so that you will not have to configure these on the ASA. You will need to create an authentication server group that points to your ACS, then you will have to reference this server-group to your tunnel-group so user authentication requests will be forwarded to ACS for authentication. For accounting you will create an accounting server group and also assign that to your tunnel group configuration.

On the ACS you will have to create a network device client which is the ASA, and the shared secret will have to be the same. You will create a network authorization policy element which will have any authorization parameters, or you can choose the Permit Access which allows authentication succeed without any special permissions.

You can debug the sessoin by using debug crypto vpnclient 255 to see the authentication flow.

Are you using SSL vpn (anyconnect) for these sessions?

Thanks

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Doubt on RA vpn user aaa using ACS 5.3

Hi Tarik,

I am trying to configure remote access vpn, not ssl vpn.

On ASA, I have done this:

aaa-server tacacsgroup protocol tacacs+

aaa-server tacacsgroup (management) host 1.2.3.4

key cisco

aaa authentication ssh console tacacsgroup local

aaa authorization command tacacsgroup

aaa accounting ssh console tacacsgroup

aaa accounting command tacacsgroup

aaa-server radgroup protocol radius

aaa-server radgroup (management) host 1.2.3.4

key cisco

I have created the ip pools, interesting traffic ACLs, group policies, and tunnel groups.

On ACS, I have added asa as AAA client, created vpn-user1 and vpn-user2 and configured the authorization policy for each.

Is this config complete for RA vpn with authentication, authorization and accounting from ACS?

How can I confirm that AAA (authentication, authorization and accounting of commands) of RA vpn users is happening via ACS?

Thanks.

Doubt on RA vpn user aaa using ACS 5.3

Please post the tunnel group configurations also. You have to reference the authentication server group and accounting server group.

There is no command accounting for remote access VPN, just details about connection details: connection time data consumption...etc.

If you're asking how to verify from the acs side, check the monitoring and reports section and see the radius authetication and radius accounting reports.

You can create an internal user on the Asa and attempt to authenticate to see if you at denied, so you knw te request is going to the acs server.

Just so you know you can join acs to AD and use accounts in active directory.

Thanks,

Tarik Admani *Please rate helpful posts*
New Member

Doubt on RA vpn user aaa using ACS 5.3

Hi Tarik,

This is the ra vpn config from my asa:

ciscoasa(config)# ip local pool grponepool 192.168.1.1-192.168.1.50 mask 255.255.255.0

ciscoasa(config)# ip local pool grptwopool 192.168.1.100-192.168.1.150 mask 255.255.255.0

ciscoasa(config)# access-list Test_Split_ACL standard permit 172.16.0.0 255.255.0.0

ciscoasa(config)# group-policy grponeGrpPol internal

ciscoasa(config)# group-policy grponeGrpPol attributes

ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1

ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified

ciscoasa(config-group-policy)# split-tunnel-network-list value Test_Split_ACL

ciscoasa(config-group-policy)# dns-server value 10.10.10.10

ciscoasa(config-group-policy)# default-domain value domain.com

ciscoasa(config-group-policy)# vpn-filter value grponeACL

ciscoasa(config)# group-policy grptwoGrpPol internal

ciscoasa(config)# group-policy grptwoGrpPol attributes

ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1

ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified

ciscoasa(config-group-policy)# split-tunnel-network-list value Test_Split_ACL

ciscoasa(config-group-policy)# dns-server value 10.10.10.10

ciscoasa(config-group-policy)# default-domain value domain.com

ciscoasa(config-group-policy)# vpn-filter value grptwoACL

ciscoasa(config)# tunnel-group grponeTunGrp type remote-access

ciscoasa(config)# tunnel-group grponeTunGrp general-attributes

ciscoasa(config-tunnel-general)# default-group-policy grponeGrpPol

ciscoasa(config-tunnel-general)# address-pool grponepool

ciscoasa(config-tunnel-general)# authentication-server-group radgroup

ciscoasa(config)# tunnel-group grponeTunGrp ipsec-attributes

ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key *****

ciscoasa(config)# tunnel-group grptwoTunGrp type remote-access

ciscoasa(config)# tunnel-group grptwoTunGrp general-attributes

ciscoasa(config-tunnel-general)# default-group-policy grptwoGrpPol

ciscoasa(config-tunnel-general)# address-pool grptwopool

ciscoasa(config-tunnel-general)# authentication-server-group radgroup

ciscoasa(config)# tunnel-group grptwoTunGrp ipsec-attributes

ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key *****

This is the aaa config from my asa:

ciscoasa(config)# aaa-server tacacsgroup protocol tacacs+

ciscoasa(config)# aaa-server tacacsgroup (management) host 1.2.3.4

ciscoasa(config)# key cisco

ciscoasa(config)# aaa authentication ssh console tacacsgroup local

ciscoasa(config)# aaa authorization command tacacsgroup

ciscoasa(config)# aaa accounting ssh console tacacsgroup

ciscoasa(config)# aaa accounting command tacacsgroup

ciscoasa(config)# aaa-server radgroup protocol radius

ciscoasa(config)# aaa-server radgroup (management) host 1.2.3.4

ciscoasa(config)# key cisco

Does this look complete? Or I should add 'accounting-server-group' also to tunnel group config? As you said, accounting for ra vpn do not log commands run by users, only conn related information.

I made tacacsgroup so I can use acs for authenticating my admin users, when I ssh into asa for managing it.

I checked acs monitoring and reports and yes I find the tacacs event reports and radius auth n accounting reports. But there is no radius authorization report..?

Now if I understand correctly, when I ssh into asa, the asa sends access request to acs, the acs confirms the username and password, and records the authentication, authorization events. From here, when I will run any command, those will also be logged in acs. And I will be able to view these in acs monitoring n reports under tacacs reports.

For a vpn user, when user connects via vpn client, the group info will be passed along with the userid entered for authentication. ASA will receive the request and ask acs for validation. If the login information is right, then acs will confirm n based on the group membership, vpn user will be given ip address from one of the 2 pools. Then, based on what privilege level I assign to group user on acs via authorization policy, user will be able to run those commands on asa. am I right?

So everything related to aaa happens using acs. Is there a way I can check authentication, authorization and accounting event on asa for both vpn user and my admin user?

Thanks.

Doubt on RA vpn user aaa using ACS 5.3

Hi,

Radius is a different protocol based on tacacs, the authorization in radius is the response sent in the access-accept. Unlike tacacs where once authentication succeeds the Asa in this case will send and authorization packet to the acs and that is done for every command if you choose command authorization.

When you look at your configuration the:

The aaa authentication commands are used to authenticate admin access to the Asa using tacacs, there is no way a radius user will be able to adminster this device (unless your users in acs match the same tacacs policies). Your configuration for radius is only referenced in the tunnel-group in order to authenticate the users for network access, you can implement command authorization using radius but it's not practical since based on the design of the protocol itself.

Thanks,

Tarik

Tarik Admani *Please rate helpful posts*
New Member

Doubt on RA vpn user aaa using ACS 5.3

okay, right. The ra vpn users only need to access some server in internal lan, n for each ra vpn group, I mapped the acls. So yeah radius will be used to authenticate the ra vpn user.

Is there a way I can check authentication, authorization and accounting event on asa for both vpn user and my admin user?

Many Thanks.

Doubt on RA vpn user aaa using ACS 5.3

You can issue debug VPN-sessiondb 255, and capture the debugs for the client.

Thanks,

Tarik

Tarik Admani *Please rate helpful posts*
New Member

Doubt on RA vpn user aaa using ACS 5.3

Ok Tarik. Thanks for answering my doubts. It was very helpful to me.

Thanks again.!

1017
Views
10
Helpful
8
Replies
CreatePlease login to create content