Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5342
Views
23
Helpful
18
Replies

ASA 5510 and MS IAS radius Cisco VPN Client setup

totusdotus
Level 1
Level 1

‎11-09-2010 07:46 PM

Hello,

I've spent hours trying to make heads or tails of the example: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

XX for privacy

Any direction would be greatly appreciated.

satx-mdf-fw1(config)# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname satx-mdf-fw1
domain-name domain.com
enable password QklkDpuqrOXyFWo7 encrypted
passwd wNIA7lMWIZEQRg9Z encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 2XX.67.103.90 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
timeout 30
name-server 10.10.50.90
domain-name domain.com
access-list inbound remark ** Inbound Filters **
access-list inbound extended permit tcp any host 64.XX2.225.140 eq www
access-list inbound extended permit tcp any host 64.XX2.225.140 eq https
access-list inbound extended permit tcp any host 64.132.225.140 eq smtp
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 64.XX2.225.141 eq ssh
access-list inbound extended permit tcp any host 64.XX2.225.141 eq www
access-list inbound extended permit tcp any host 64.XX2.225.141 eq https
access-list outbound remark ** Outbound Filters **
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnclient 10.10.50.150-10.10.50.200
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 64.XX2.225.141 10.10.50.22 netmask 255.255.255.255
static (inside,outside) 64.XX2.225.140 10.10.50.90 netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 207.67.103.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.10.50.90
key *****
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set my-set
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
dns-server value 10.10.50.90
default-domain value personalizedprevention.com
username troy password BlahBlah8nfPJo9dtNu encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnclient
authentication-server-group vpn
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
   inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Many Thanks,

Troy

Labels:
0 Helpful
18 Replies 18

totusdotus
Level 1
Level 1
In response to Jennifer Halim

‎11-10-2010 10:56 PM

Thanks for the tip, http outside turned off now!

Looks like I've got some more noodling to do, don't recall how to setup a local database.  Its been almost 10 years since I've configured a pix, beleive or not I used to work for Cisco in Austin in QA security appliances.  Back when it was IDS, fun stuff!

Cheers,

Troy

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to totusdotus

‎11-10-2010 11:07 PM

To configure the username and password, just configure the following:

username password

Then to assign the vpn group to use local authentication:

tunnel-group vpn general-attributes

     authentication-server-group LOCAL

========================================================

BTW, just look at your config again, and radius authentication server is not assigned to your vpn group, so before you try the above, can you try the following:

tunnel-group vpn general-attributes

     authentication-server-group (inside) vpn

And test to see if VPN Client connection with IAS authentication works.

========================================================

You might want to remove this too:

tunnel-group DefaultRAGroup general-attributes
     no  authentication-server-group (outside) vpn

0 Helpful

totusdotus
Level 1
Level 1
In response to Jennifer Halim

‎11-11-2010 07:13 AM

Ok, I did the following:

1.) executed:

tunnel-group vpn general-attributes

      authentication-server-group (inside) vpn

2.) I added a user to local db.

3.) executed:

tunnel-group DefaultRAGroup general-attributes
     no   authentication-server-group (outside) vpn

Here is the behavior now... When attempting to login via the VPN Client, I get prompted for uname and pass.  When I enter an account that we know works on the IAS radius server I get prompted 3 times before it fails on the third attempt.

When I try with the locally added db account, I only get one try and it fails immediately.

dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.10.50.90
key *****

crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set my-set
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy vpn internal
group-policy vpn attributes
dns-server value 10.10.50.90
vpn-tunnel-protocol IPSec
default-domain value personalizedprevention.com
username troy password BeT0T8nfPJo9dtNu encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
authentication-server-group (inside) vpn
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to totusdotus

‎11-11-2010 10:04 PM

You would need to change the authentication depending on which you are testing.

If you are going to test authenticating to IAS radius, then you would need to have the following configured:

tunnel-group vpn general-attributes

      authentication-server-group (inside) vpn

If you are going to test authenticating to local database, then the following is required:

tunnel-group vpn general-attributes

      authentication-server-group LOCAL

Please kindly make sure that you only have 1 or the other when you are configuring it. To check the current configuration, issue: sh run tunnel-group vpn

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents