03-20-2012 05:51 AM - edited 03-10-2019 06:55 PM
Hi
Would appreciate if somebody could guide me how to configure the ACS5.0 radius for remote access VPN authentication.
And how could I implement the IP Pools for the VPN users.
Best regards
Muralee
Solved! Go to Solution.
03-21-2012 06:43 AM
Hi
IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.
on ACS:
access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.
so it will be>
access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access
you can follow the below link for common scenarios:
Regards
Minakshi
Do rate the helpful posts
03-20-2012 06:12 AM
Hi Muralee,
In case you are trying to configure vpn authentication for the ip pool management , Then i would say its not a good idea. Because:
In ACS 5.x IP Pool management is not supported. While RADIUS servers nearly always did this in the early dial up days, today DHCP is commonly used. For ACS 5, a decision was made to drop IP Pool management, and recommend that customers use DHCP.
However if you want to configure vpn authentication :
from ACS perspective, all you need to do is following:
access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.
so it will be>
access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access
Let me know if it helps:
On the ASA does the following:aaa-server ACS_5.0 protocol radius reactivation-mode depletion deadtime 20 max-failed-attempts 5 aaa-server ACS_5.0 host x.x.x.x key x.x.x.x authentication-port 1812 accounting-port 1813 tunnel-group ACS_5.0 type ipsec-ra tunnel-group ACS_5.0 general-attributes authentication-server-group ACS_5.0 default-group-policy ACS_5.0 tunnel-group ACS_5.0 ipsec-attributes pre-shared-key *
Try the test authentication and let me know if it helps
03-20-2012 09:54 PM
Hi Minkumar
Tks for the reply
Would appreciate if you could be more descriptive on the ACS configuration as this is the first time I configuring it.
Also how could I do the IP address assignment for the VPN users please include in the configuration
03-21-2012 06:43 AM
Hi
IP Address assignment is not possible on ACS. However you can configure simple vpn authentication.
on ACS:
access policies> default network address> identity(select internal users or if its AD then select AD) > authorization > click on customize > move the desired condition>
for example> device ip address> put in the ip address of ASA(vpn device)> authorization profile> permit access.
so it will be>
access policy> default network access> identity(internal users or AD)> authorization > create rule> device ip=1.1.1.1 > authorization profile=permit access
you can follow the below link for common scenarios:
Regards
Minakshi
Do rate the helpful posts
03-23-2012 10:27 PM
Hi
Tks for the support
I was able to do it with Static IP Address assignment
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide