05-24-2012 03:26 PM - edited 02-21-2020 06:05 PM
Hello!
This might be somewhat esoteric, I can't seem to find any info on it, but if I missed a post or document somewhere, please by all means hook me up with a link!
We currently use Cisco ACS for Windows and a VPN Concentrator for our VPN solution. ACS allows us to assign static local IPs to incoming clients based on their login profile. This is great because it allows us IT folk (and some engineers) to keep our static IPs so that the firewalls allow us proper access to production, etc. when we VPN in.
My question/problem is 2-fold, but related.
1) How do we duplicate that sort of thing with Cisco ASA's using SSL? I managed to get WebVPN setup with AnyConnect and I can connect remotely and login with my ACS username/password (although the only way I can test is to RDP into our Geneva location and you can't run AnyConnect while VPN'd, but at least I get through the login and client install, which is promising). I can't seem to find any way to specific a static IP for specific logins.
2) We'd like to ditch the Cisco ACS and move to using our internal Windows Active Directory for a single-sign-on solution. Will I still be able to use the static IP assignment from question 1 if we do this? And... how *do* you do this? I designed the internal DC as a RADIUS server and thought it was configured right, but it still uses my ACS info when I try to VPN in.
Thank you ahead of time!
Isaac
05-24-2012 11:37 PM
1) On the ASA, you can change the address assignment from local pool, to AAA assign.
Command: vpn-addr-assign aaa:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1644603
I assume that you already know how to configure the ACS server since you've already used the same for your VPN Concentrator.
2) Same as above, since you are using the same radius protocol, all need is to enable address assignment AAA for VPN.
Hope that answers your questions.
05-29-2012 11:47 AM
Hi Jennifer,
Thank you for your reply. I did find that vpn-addr-assign aaa was set for "no". I've looked through the ASDM and those instructions in that link, I must be missing something, how do I tell it where the RADIUS server is? It's currently using TACACS and pointing to the ACS server.
Do I have to keep the ACS? We're trying to ditch it, and point the firewall directly at the Windows domain controller. Is it necessary to have the ACS setup as a go-between? I'd prefer to point directly from the ASA to the Windows AD if possible.
This might help, this is chunks of the config that I thought might be relevant (there are 3 Site VPNs setup and the standard user VPN):
If possible, I'd like to keep the old, original Cisco client-based VPN up while activating the AnyConnect/WebVPN VPN.
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host X.X.X.14
key *****
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
crypto ipsec transform-set A esp-3des esp-md5-hmac
crypto ipsec transform-set B esp-3des esp-sha-hmac
crypto ipsec transform-set C esp-des esp-md5-hmac
crypto ipsec transform-set ClientlessVPN esp-3des esp-md5-hmac
crypto ipsec transform-set ClientlessVPN mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map hood 1 match address 101
crypto map hood 1 set peer A.A.A.4
crypto map hood 1 set transform-set snowyway
crypto map hood 2 match address 104
crypto map hood 2 set peer B.B.B.67
crypto map hood 2 set transform-set waltham
crypto map hood 3 match address 105
crypto map hood 3 set peer C.C.C.66
crypto map hood 3 set transform-set waltham
crypto map hood interface outside
crypto ca trustpoint L-TP
enrollment self
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 1000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
~
webvpn
enable outside
svc image disk0:/anyconnect-win-3.0.07059-k9.pkg 1
svc profiles WebVPN disk0:/webvpn.xml
svc enable
tunnel-group-list enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dns-server value X.X.X.6 X.X.X.11
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value phtcorp.com
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value WebVPN type user
svc ask enable default svc timeout 10
always-on-vpn profile-setting
~
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool WebVPN
authentication-server-group TACACS+
default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server X.X.X.11 master timeout 2 retry 2
05-29-2012 08:15 PM
Here is a sample configuration to use ACS radius as authentication:
If you point directly to AD, you can only perform authentication, I dont' believe that you can assign IP Address directly using LDAP as protocol which AD uses. However, you can enabled IAS service on your AD which run on Radius protocol and it can be used to assign IP address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide