Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
2
Replies

ASA 5510 - VPN config ?

Go to solution
dstalls
Level 1
Level 1

‎12-29-2006 04:15 PM - edited ‎03-11-2019 02:14 AM

Hello,

Just inheritated an ASA 5510 in production, and am trying to logic out the existing config, and I am confused by the following entries:

tunnel-group vpntunnel type ipsec-ra

tunnel-group vpntunnel general-attributes

address-pool vpnpool

authentication-server-group Radius LOCAL

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key xxx

Ok, so it appears to me, please correct me if I am wrong, that the initial IPSec connection from the cisco vpn client to the ASA is using a pre-shared key? and then the user is authenticated by RADIUS for access to services, or the LOCAL db if that fails?

Please advise. All of the clients have the pre-shared key configured, but they are also forced to use their MS login and password to access anything.

Thanks a lot for your help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Fernando_Meza
Level 7
Level 7

‎01-01-2007 02:58 PM

Hi .. below a brief explanation

tunnel-group vpntunnel type ipsec-ra

* vpntunnel is remote access vpn group *

tunnel-group vpntunnel general-attributes

address-pool vpnpool

* vpntunnel group is assigned IP addresses from pool vnppool *

authentication-server-group Radius LOCAL

* User authentication for vpntunnel group is by the servers defined under the Radius group . If that server(s) are unavailable then the local database will be used *

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key xxx

* First phase of ISAKMP authntication is based on a preshared password.

In summary, The IPsec tunnel will be established after satisfying 2 steps:

1.- using the name group vpntunnel and the preshared password which are configured on the vpn client.

2.- After the above is successfull then the user will be challenged for a username and password which then will be checked against the Radius server(s) .. if authentication is successfull then the tunnel is established.

That is the normal behaviour.

I hope it helps .. please rate it if it does !!!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Fernando_Meza
Level 7
Level 7

‎01-01-2007 02:58 PM

Hi .. below a brief explanation

tunnel-group vpntunnel type ipsec-ra

* vpntunnel is remote access vpn group *

tunnel-group vpntunnel general-attributes

address-pool vpnpool

* vpntunnel group is assigned IP addresses from pool vnppool *

authentication-server-group Radius LOCAL

* User authentication for vpntunnel group is by the servers defined under the Radius group . If that server(s) are unavailable then the local database will be used *

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key xxx

* First phase of ISAKMP authntication is based on a preshared password.

In summary, The IPsec tunnel will be established after satisfying 2 steps:

1.- using the name group vpntunnel and the preshared password which are configured on the vpn client.

2.- After the above is successfull then the user will be challenged for a username and password which then will be checked against the Radius server(s) .. if authentication is successfull then the tunnel is established.

That is the normal behaviour.

I hope it helps .. please rate it if it does !!!

0 Helpful

Go to solution
dstalls
Level 1
Level 1
In response to Fernando_Meza

‎01-01-2007 06:14 PM

Thanks for the confirmation.

I appreciate it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card