Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote Access VPN and ACS

Hi Pros,

              Below is a config that I built with the SDM. The goal is to configure a remote access VPN in our HQ for traveling salemen. The VPN router will be in a vpn dmz. I want to authenticate These guys with  ACS(Radius) tied with AD and I want to set pool of addresses for my telework(each group in a different pool)? These guys have already a group in the AD. For instance  a sale group, I do not want to have another(Anyway a user can be in one group a time). How can I have ACS to make the difference between an authentication coming from the VPN tunnel and an authentication coming from the internal network?

2. Will the configuration below will querry ACS for my AD users? In cas not, how can I set the SDM to querry my ACS server for users?

3.In SDM when setting up the remote access vpn. When i get to the window: Group authorization and Group Policy Lookp, user authentication(Xauth)

if i choose Radius in both, I can't defy any group, I am able to add Radius server. In case, where do i need to set my group info(group name, IP add, dns...) ?

Hope I am clear enough, if not ask for clearification.

Thanks a bunch,

Jean P


hostname trans_at_VPN
!
boot-start-marker
boot-end-marker
!
logging buffered 20000
enable secret 5 $1$ktbl$QwO4ELmnsnfYAkcdiLsyO.
!
aaa new-model
!
!
aaa authentication login ssh group radius local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization network sdm_vpn_group_ml_1 group radius local

!
!
aaa session-id common
memory-size iomem 25
ip cef
!
!
no ip dhcp conflict logging
!
!

!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group OFFICE
key ********
dns 10.x.x.254 10.a.b.a
domain trans.atlantic.com
pool OFFICE_POOL
acl 100
group-lock
netmask 255.255.255.224
crypto isakmp profile sdm-ike-profile-1
   match identity group OFFICE
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set OFFICE_SET esp-aes esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set OFFICE_SET
set isakmp-profile sdm-ike-profile-1
!
!
!
crypto pki trustpoint TP-self-signed-2275965122
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2275965122
revocation-check none
rsakeypair TP-self-signed-2275965122
!
!
crypto pki certificate chain TP-self-signed-2275965122
certificate self-signed 01
  3082025D 308201C6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323735 39363531 3232301E 170D3130 31303236 31343530
  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373539
  36353132 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A0EC D5172634 BF9E8402 CB8AF59A 1434F302 6BC1A690 DDF8A8AA FD2ADF3B
  A7C9DBD0 87C3FA02 2FD2B5BD 02D74497 D81D1912 25F67774 C5F4640C F1F438AE
  392F2ED9 EBFA89EA 7E9E54BC 87D13AB0 0806EBF2 0A0B2CC6 76CA3C63 290F1EE5
  204D592D 86AC1F36 5119B713 EB896971 877FFAA9 7807EE51 6D4768BD BD073DAA
  FF1B0203 010001A3 81843081 81300F06 03551D13 0101FF04 05300301 01FF302E
  0603551D 11042730 25822372 74725F44 444F5F56 504E2E76 616E636F 75766572
  2E696E66 6F736174 61642E63 6F6D301F 0603551D 23041830 168014B5 517CBF80
  D044D389 7675A257 948ECCE0 D492F130 1D060355 1D0E0416 0414B551 7CBF80D0
  44D38976 75A25794 8ECCE0D4 92F1300D 06092A86 4886F70D 01010405 00038181
  0054E0D8 D22161B4 929CD871 FC892815 5C7AE70E EEA9489C 8C7753AF F27E9F5D
  6016B7B2 A639E11C 47A97725 32CC0411 C3E33CF5 710D8767 ACA28CD2 3C7020FB
  5907EF01 A8B5BAB7 6F4F9CFE 5B025B18 34B1E601 9D88331E 04696BE6 EF89863E
  6CE135B6 3186B8EA BC3377F8 D6BC2345 C8C6ED75 F13B6FDF C7E1783F EA564DF3 A8
        quit
!
!
username trans secret 5 $1$n.oE$g.e2zV0.0P3p7ZHiINPRK1
archive
log config
  hidekeys
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet0/0
description DMZ_Connection
ip address 10.a.b.c 255.255.255.0
no ip redirects
no ip unreachables
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Ethernet1/0
description DMZ6_Connection
ip address 10.112.25.45 255.255.254.0
no ip redirects
no ip unreachables
no ip mroute-cache
full-duplex
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 1.1.1.1 255.255.255.255 Null0
!
!
ip http server
ip http secure-server
ip dns server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.11.0.0 0.0.255.255 any
!
!
radius-server host 10.x.z.y auth-port 1645 acct-port 1646 key 7 075870181E
!
control-plane
!
!
line con 0
exec-timeout 5 0
password 7 10673A542B1206260D0A
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 110A1016141D
login authentication ssh
transport input ssh
transport output all
!
ntp clock-period 17208209
ntp server 10.x.z.y
end

1 REPLY
New Member

Re: Remote Access VPN and ACS

Any update on this guys? Have questions?

Thanks,

Jean Paul

486
Views
0
Helpful
1
Replies
CreatePlease to create content