Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure authentication to the VPN on a Microsoft Windows server with Kerberos

Core issue

This is a list of the necessary procedures in order to setup the Microsoft Windows Authentication server for the VPN.

Resolution

Complete these steps:

  1. Configure an authentication server on the ASA with Kerberos:

    hostname(config)#aaa-server TACACS+_Servers protocoltacacs+
    hostname(config)#aaa-server TACACS+_Servers host x.x.x.x key pqrs
    hostname(config)#aaa-server TACACS+_Servers host x.x.x.x
    key pqrs
    hostname(config)#aaa-server WindowsAuth protocol kerberos
    hostname(config)#aaa-server WindowsAuth host y.y.y.y
    hostname(config-aaa-server-host)# kerberos-realm Example.LOCAL

    Note: Assume x.x.x.x and y.y.y.y are the IP addresses of the authentication servers and pqrsis the key.

  2. Test the authentication after the Kerberos realm connects to the clock on the ASA. This example displays a successful authentication test:

    5510(config-aaa-server-host)#test aaa-server authentication WindowsAuth host Y.Y.Y.Y
    Username: abcd
    Password: *********

    INFO: Attempting Authentication test to IP address
    (timeout: 12 seconds)
    INFO: Authentication Successful

  3. Add the authentication server to the tunnel-group:

    hostname(config)#tunnel-group CommunitySavingsBank type ipsec-ra
    hostname(config)#tunnel-group CommunitySavingsBank general-attributes
    hostname(config-tunnel-general)#address-pool Remote_User_IP_Pool
    hostname(config-tunnel-general)# authentication-server-group WindowsAuth
    hostname(config)#tunnel-groupCommunitySavingsBank ipsec-attributes
    hostname(config-tunnel-ipsec)#pre-shared-key ***

  4. Configure the ASA in order to bypass the nat command for the VPN IP pool. Configure the NAT exemption rule( NAT 0 ) in order to bypass the traffic without NATting.

Refer to the Kerberos Server Support section of Configuring AAA Servers and the Local Database for more information.

1798
Views
0
Helpful
0
Comments