Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 - VPN config ?

Hello,

Just inheritated an ASA 5510 in production, and am trying to logic out the existing config, and I am confused by the following entries:

tunnel-group vpntunnel type ipsec-ra

tunnel-group vpntunnel general-attributes

address-pool vpnpool

authentication-server-group Radius LOCAL

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key xxx

Ok, so it appears to me, please correct me if I am wrong, that the initial IPSec connection from the cisco vpn client to the ASA is using a pre-shared key? and then the user is authenticated by RADIUS for access to services, or the LOCAL db if that fails?

Please advise. All of the clients have the pre-shared key configured, but they are also forced to use their MS login and password to access anything.

Thanks a lot for your help.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5510 - VPN config ?

Hi .. below a brief explanation

tunnel-group vpntunnel type ipsec-ra

* vpntunnel is remote access vpn group *

tunnel-group vpntunnel general-attributes

address-pool vpnpool

* vpntunnel group is assigned IP addresses from pool vnppool *

authentication-server-group Radius LOCAL

* User authentication for vpntunnel group is by the servers defined under the Radius group . If that server(s) are unavailable then the local database will be used *

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key xxx

* First phase of ISAKMP authntication is based on a preshared password.

In summary, The IPsec tunnel will be established after satisfying 2 steps:

1.- using the name group vpntunnel and the preshared password which are configured on the vpn client.

2.- After the above is successfull then the user will be challenged for a username and password which then will be checked against the Radius server(s) .. if authentication is successfull then the tunnel is established.

That is the normal behaviour.

I hope it helps .. please rate it if it does !!!

2 REPLIES

Re: ASA 5510 - VPN config ?

Hi .. below a brief explanation

tunnel-group vpntunnel type ipsec-ra

* vpntunnel is remote access vpn group *

tunnel-group vpntunnel general-attributes

address-pool vpnpool

* vpntunnel group is assigned IP addresses from pool vnppool *

authentication-server-group Radius LOCAL

* User authentication for vpntunnel group is by the servers defined under the Radius group . If that server(s) are unavailable then the local database will be used *

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key xxx

* First phase of ISAKMP authntication is based on a preshared password.

In summary, The IPsec tunnel will be established after satisfying 2 steps:

1.- using the name group vpntunnel and the preshared password which are configured on the vpn client.

2.- After the above is successfull then the user will be challenged for a username and password which then will be checked against the Radius server(s) .. if authentication is successfull then the tunnel is established.

That is the normal behaviour.

I hope it helps .. please rate it if it does !!!

New Member

Re: ASA 5510 - VPN config ?

Thanks for the confirmation.

I appreciate it.

269
Views
0
Helpful
2
Replies
CreatePlease login to create content