I've configured WebVPN on an IOS router, and the VPN part seems to be working OK (I can ping by IP address, etc) I have several users who have laptops (WinXP SP2) that are members of the domain (lets call the AD domain "DOMAIN" for the purpose of this post.) The users go home, reboot their laptop, and log into the laptop with their cached DOMAIN credentials. They WebVPN in, and again they can ping, browse the web, etc. However, the CANNOT browse the Active Directory domain. When the try to access shares on the server WinXP throws an error saying "Access is Denied. Local Device is already in use".
I've looked up everything possible on the Win2k3/AD side, and the best I've seen is that users should delete and re-create the drive mappings. Something about cached credentials, but no matter what I do the inherent credentials on the laptop aren't passing through.
I have a decent amount of Windows AD experience to know that the laptop, which is a member of the domain, and the user logging into the laptop, which is in the domain, should just authenticate and get into the server and any other member servers.
I think though that somehow the SSL VPN Client (SVC) is messing up the kerberos authentication to the server. I'm running the latest SVC on top of IOS 12.4(6)T.
Here's the config. Anyone who helps me solve this gets a beer of their choice, at the bar of their choice (as long as its in Boston!)
It is very important that you have at least one user with administrator privilege (15), if not you will need to do the password recovery procedure. Also, you can review the current privileges of the commands by typing:
show privilege all
You can change them with the
privilege level command
aaa authentication enable console LOCAL
username admin password cisco123 privilege 15 <--- this is for the administrator
username xx password access1 privilege 5 <---- read only for user xx
thanks for the reply, but I think you misunderstood the message. The problem is not with my local admin (priv 15) access into the router. The problem is with users that VPN into the network via IOS WebVPN. They /were/ using a generic account for webvpn access (i.e. username webvpn priv 5 password vpnaccess) However, once the SSL Tunnel Client (STC) connects, and the users are "in" the network, they can't access their previously mapped shared drives, and can't browse the domain etc. They keep getting access denied messages.
Since my previous post, however, I tried something different: I created an account on the router with a username/password that matched the users' domain account (i.e. username jdoe priv 5 password domainpass) and THAT seems to work.
So here's my question: is the WebVPN service, running with the FULL tunnel client (not web only, not thin client or port-forwarding) acting as a type of proxy between the VPN'd user and the resources the user is trying to access? Is it using the credentials that the user used to connect to the WebVPN to then connect to other resources? If so, then my guess is that I should set up the Microsoft Internet Authentication Service (IAS), aka MS Radius, for the WebVPN authentication?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :