Most people tell me how much easier it is with the ASDM but I have always been more comfortable in the CLI as that is all I use. Also if I use ASDM at work I will kind of get frowned upon as they all use the CLI.

You have any ideas on the CLI version of the commands?

Sure, ultimately it comes to you, whatever you feel comfortable with. The document I mentioned also has the relavent comamnd line.

Ok last question on this (I hope) Using the link you gave me and based on the information (the sh run) is what I have below correct?

!--- Configure the AAA Server group.

ciscoasa(config)# aaa-server RADIUS_SERVER_GROUP protocol RADIUS

ciscoasa(config-aaa-server-group)# exit

!--- Configure the AAA Server. (192.168.*.* being the server IP)

ciscoasa(config)# aaa-server RADIUS_SERVER_GROUP (inside) host 192.168.*.*

ciscoasa(config-aaa-server-host)# key secretkey

ciscoasa(config-aaa-server-host)# exit

!--- Configure the tunnel group to use the new AAA setup. (examplevpn being the group authentication name)

ciscoasa(config)# tunnel-group examplevpn general-attributes

ciscoasa(config-tunnel-general)# authentication-server-group RADIUS_SERVER_GROUP

And getting rid of the other commands that make it LOCAL authentication. Leaving me with the following config (please, please, please check the config thoroughly, I dont want to mess this up)

ASA# sh run

: Saved

:

ASA Version 8.3(1)

hostname ASA

domain-name mydomain.local

enable password GmSL9emLLUC2J7jz encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group pppoe_group

ip address pppoe setroute

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name mydomain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-vpnPool

subnet 192.168.101.0 255.255.255.0

object network SERVER01

host 192.168.*.*

object network obj-Internal-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network SERVER02

host 192.168.*.*

object network SERVER03

host 192.168.*.*

object network obj-OutsideIP

host 74.164.148.6

access-list splittunnel standard permit 192.168.1.0 255.255.255.0

access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list outside_in extended permit tcp any host 192.168.*.* eq www

access-list outside_in extended permit tcp any host 192.168.*.* eq https

access-list outside_in extended permit tcp any host 192.168.*.* eq smtp

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.101.50-192.168.101.100

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool

object network obj_any

nat (inside,outside) dynamic interface

object network SERVER01

nat (inside,outside) static interface service tcp smtp smtp

object network SERVER02

nat (inside,outside) static interface service tcp www www

object network SERVER03

nat (inside,outside) static interface service tcp https https

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS_SERVER_GROUP protocol RADIUS

aaa-server RADIUS_SERVER_GROUP (inside) host 192.168.*.*

key secretkey

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5

crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800

crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map RA-VPN 1 set reverse-route

crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN

crypto map RA-VPN interface outside

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 10

crypto isakmp ipsec-over-tcp port 1000

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname emailaddress@bellsouth.net

vpdn group pppoe_group ppp authentication pap

vpdn username emailaddress@bellsouth.net password *****

dhcpd dns 192.168.*.* 4.2.2.2

dhcpd lease 8400

dhcpd ping_timeout 750

dhcpd domain mydomain.local

dhcpd auto_config outside

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

priority-queue inside

priority-queue outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy examplevpn internal

group-policy examplevpn attributes

dns-server value 192.168.*.* 4.2.2.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

default-domain value mydomain.local

username vicky password 9fO.vlLc77pAFoHp encrypted privilege 15

username otherusers password hhckff6QokyoRdar encrypted privilege 10

username examplevpn password IKg0RMHfprF6Ya3u encrypted

username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15

username admin attributes

vpn-group-policy examplevpn

tunnel-group RA-VPN type remote-access

tunnel-group examplevpn type remote-access

tunnel-group examplevpn general-attributes

address-pool vpnpool

authentication-server-group RADIUS_SERVER_GROUP

default-group-policy examplevpn

tunnel-group examplevpn ipsec-attributes

pre-shared-key *****

class-map global-class

match default-inspection-traffic

class-map class_sip_tcp

match port tcp eq sip

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect tftp

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect icmp

  inspect ipsec-pass-thru

  inspect ip-options

class class_sip_tcp

  inspect sip

service-policy global_policy global

prompt hostname context

Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad

That right?

Thanks,

Vicky

Yes it looks correct. Its easy as it sounds

After speaking with the server guy at my work and also looking over another config, I saw that it included LDAP. The server guy told me that Active Directory automatically uses LDAP. So this being said, if the following changes to my configuration correct?

aaa-server TACACS+ Protocol tacacs+                                             <------- Do I even need this? Im not using Ciscos protocols here am I?
aaa-server RADIUS_SERVER_GROUP protocol RADIUS

aaa-server LDAP_SERVER_GROUP protocol ldap                   
aaa-server LDAP_SERVER_GROUP (inside) host 192.168.*.*

  ldap-base-dn dc=mydomain                                                            <--------- Do I need to add ",dc=local"? if the domain name is mydomain.local?

  ldap-scope subtree

  ldap-naming-attribute sAMAccountName

  ldap-login-password *

  ldap-login-dn cn=administrator, cn=users, dc=mydomain                  <--------- Do I need to add ",dc=local"? if the domain name is mydomain.local?

  server-type microsoft
key secretkey                                                                                 <---------- Do I even need this? Concidering I have the ldap-login-password I mean.

And obviously changing the following:

tunnel-group RA-VPN type remote-access
tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERVER_GROUP

By the way, thank you in all your help with this, it has been very helpful

Vicky

Any updates? I really need this config sorted

Hi Vicky,

What exactly you want to use?  LDAP, RADIUS or TACACS? Your RADIUS server confing was correct if RADIUS server is setup fine, it should work.

I have a Microsoft 2008 server running RADIUS. But Microsoft uses LDAP, which is why I asked

was wondering.

I don't know how it's done on an MS RADIUS server, but in our setup the VPN does

not talk LDAP, it talks RADIUS to the RADIUS server and the RADIUS server in turn

talks ldap/smbauth to the LDAP and Active Directory servers respectively.

You should get that process cleared up with your server guys.  On the VPN

side it looks like this:

vpdn group DefaultRAGroup localname foo
vpdn group DefaultRAGroup ppp authentication pap

dynamic-access-policy-record DfltAccessPolicy
aaa-server xxx protocol radius
aaa-server xxx (management) host XX.XX.XX.XX
key *****   
authentication-port 1812

no vpn-addr-assign aaa
no vpn-addr-assign local

group-policy DfltGrpPolicy attributes

  dhcp-network-scope YY.YY.YY.YY

split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-default-routes

intercept-dhcp 255.255.0.0 enable

user-authentication enable
address-pools value vpn-ras1-defaultpool
tunnel-group DefaultRAGroup general-attributes

  user-authentication enable
   address-pools value vpn-ras1-defaultpool

  authentication-server-group xxx
  authentication-server-group (outside) xxx
  dhcp-server ZZ.ZZ.ZZ.ZZ
  strip-realm 
  strip-group 
  username-from-certificate use-entire-name

tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2

...once the RADIUS server is configured you should be able to see it up with:

#show aaa-server xxx

Server Group:     xxx
Server Protocol: radius
Server Address:     XX.XX.XX.XX
Server port:     1812(authentication), 1646(accounting)
Server status:     ACTIVE, Last transaction at 22:35:17 edt Thu Aug 26 2010
Number of pending requests        0
Average round trip time            33ms
Number of authentication requests    1970
Number of authorization requests    0
Number of accounting requests        0
Number of retransmissions        0
Number of accepts            1899
Number of rejects            54
Number of challenges            0
Number of malformed responses        0
Number of bad authenticators        0
Number of timeouts            17
Number of unrecognized responses    0

...often you cannot test real authentication but you can at least ensure the

"Number of authentication requests" and "Number of rejects" increments

usingt the command:

# test aaa-server authentication xxx host XX.XX.XX.XX username foo password foo
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure

...if you've got communication problems between the VPN and RADIUS server, you'll

get a timeout instead of a Rejected.

Once you have that working you are pretty much done on the VPN side and it's

all down to taming the RADIUS server configs.

Ok so I got the config in there (Keeping the LOCAL commands so I dont interupt the current VPNs too much) and I am running the "test aaa-server authentication LDAP_SERV_GROUP host 192.168.*.*" command to test the usernames and password authentication (had to change the AAA group name to LDAP_SERV_GROUP instead of the other as the other was too long) . However it is coming up as failing. This is my output:

Username: administrator

Password: ********

INFO: Attempting Authentication test to IP address <192.168.*.*> (timeout: 12 seconds)

[3420] Session Start

[3420] New request Session, context 0xc9de1448, reqType = Authentication

[3420] Fiber started

[3420] Creating LDAP context with uri=ldap://192.168.*.*:389

[3420] Connect to LDAP server: ldap://192.168.*.*:389, status = Successful

[3420] supportedLDAPVersion: value = 3

[3420] supportedLDAPVersion: value = 2

[3420] Binding as Administrator

[3420] Performing Simple authentication for Administrator to 192.168.*.*

[3420] LDAP Search:

        Base DN = [dc=mydomain ]

        Filter  = [sAMAccountName=administrator]

        Scope   = [SUBTREE]

[3420] Request for administrator returned code (10) Referral

[3420] Fiber exit Tx=286 bytes Rx=608 bytes, status=-1

[3420] Session End

ERROR: Authentication Rejected: Unspecified

Its not due to bad authentication as it is coming up with the code (10) Referral (or so I assume)

I did change my AAA to "ldap-login-dn cn=Administrator, cn=Users, dc=mydomain, dc=local"

instead of "ldap-login-dn cn=administrator, cn=users, dc=mydomain"

Because the following output was the result of not having the "dc=local" at the end

But the output was:

ASA# test aaa-server authentication LDAP_SERV_GROUP host 192.168.*.*

Username: administrator

Password: ********

INFO: Attempting Authentication test to IP address <192.168.*.*> (timeout: 12 seconds)

[3419] Session Start

[3419] New request Session, context 0xc9de1448, reqType = Authentication

[3419] Fiber started

[3419] Creating LDAP context with uri=ldap://192.168.*.*:389

[3419] Connect to LDAP server: ldap://192.168.*.*:389, status = Successful

[3419] supportedLDAPVersion: value = 3

[3419] supportedLDAPVersion: value = 2

[3419] Binding as administrator

[3419] Performing Simple authentication for administrator to 192.168.*.*

[3419] Simple authentication for administrator returned code (49) Invalid credentials

[3419] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[3419] Fiber exit Tx=204 bytes Rx=567 bytes, status=-2

[3419] Session End

ERROR: Authentication Server not responding: AAA Server has been removed

I am still looking stuff up and troubleshooting, mainly using "debug ldap 255" and obviously I double checked my credientials were correct by using the command line command "dsquery user -samid administrator" on the server

Any ideas though?

Yes you were right. Here is the complete working config in case someone needs help like I did. Thanks for the help guys

ASA# sh run
: Saved
:
ASA Version 8.3(1)

hostname
domain-name mydomain.local
enable password GmSL9emLLUC2J7jz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_group
ip address pppoe setroute

interface Ethernet0/0
switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name mydomain.local

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-vpnPool
subnet 192.168.101.0 255.255.255.0

-----------Same server, 1 per protocol-------------

object network SERVER01
host 192.168.*.*

object network obj-Internal-192.168.1.0
subnet 192.168.1.0 255.255.255.0

object network SERVER02
host 192.168.*.*

object network SERVER03
host 192.168.*.*

object network obj-OutsideIP
host 73.*.*.*

access-list splittunnel standard permit 192.168.1.0 255.255.255.0

access-list outside_in extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_in extended permit tcp any host 192.168.*.* eq www
access-list outside_in extended permit tcp any host 192.168.*.* eq https
access-list outside_in extended permit tcp any host 192.168.*.* eq smtp

pager lines 24
logging asdm informational

mtu inside 1500
mtu outside 1500

ip local pool vpnpool 192.168.101.50-192.168.101.100
icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400

nat (inside,outside) source static obj-Internal-192.168.1.0 obj-Internal-192.168.1.0 destination static obj-vpnPool obj-vpnPool

object network obj_any
nat (inside,outside) dynamic interface

object network SERVER01
nat (inside,outside) static interface service tcp smtp smtp

object network SERVER02
nat (inside,outside) static interface service tcp www www

object network SERVER03
nat (inside,outside) static interface service tcp https https

access-group outside_in in interface outside

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+
aaa-server RA_SERVER_GROUP protocol radius
aaa-server LDAP_SERV_GROUP protocol ldap
aaa-server LDAP_SERV_GROUP (inside) host 192.168.*.*

ldap-base-dn dc=mydomain, dc=local           
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****                   <----Password of the server
ldap-login-dn cn=Administrator, cn=Users, dc=mydomain, dc=local 
server-type microsoft

aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL

http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside

no snmp-server location
no snmp-server contact

snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set transform-set ESP-3DES-MD5
crypto dynamic-map RA-VPN 1 set security-association lifetime seconds 28800
crypto dynamic-map RA-VPN 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map RA-VPN 1 set reverse-route
crypto map RA-VPN 65535 ipsec-isakmp dynamic RA-VPN
crypto map RA-VPN interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 10
crypto isakmp ipsec-over-tcp port 1000

telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60

console timeout 0

management-access inside

vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname emailaddress@bellsouth.net
vpdn group pppoe_group ppp authentication pap
vpdn username emailaddress@bellsouth.net password *****

dhcpd dns 192.168.*.* 4.2.2.2
dhcpd lease 8400
dhcpd ping_timeout 750
dhcpd domain mydomain.local
dhcpd auto_config outside

dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside

priority-queue inside
priority-queue outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn

group-policy examplevpn internal
group-policy examplevpn attributes
dns-server value 192.168.*.* 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value mydomain.local

username otherusers password hhckff6QokyoRdar encrypted privilege 10
username examplevpn password IKg0RMHfprF6Ya3u encrypted

username admin password DwCTJcBn.Q0dDe9z encrypted privilege 15
username admin attributes
vpn-group-policy examplevpn

username Vicky password kVVIdKLCZanWt.w6 encrypted privilege 15
username Vicky attributes
vpn-group-policy examplevpn

tunnel-group RA-VPN type remote-access

-----------TUNNEL GROUP FOR THE LOCAL TUNNEL-------------

tunnel-group examplevpn type remote-access
tunnel-group examplevpn general-attributes
address-pool vpnpool
authorization-server-group (outside) LOCAL
default-group-policy examplevpn

tunnel-group examplevpn ipsec-attributes
pre-shared-key *****

-----------TUNNEL GROUP FOR THE RADIUS/LDAP TUNNEL-------------

tunnel-group Radiusvpn type remote-access
tunnel-group Radiusvpn general-attributes
address-pool vpnpool
authentication-server-group LDAP_SERV_GROUP
tunnel-group Radiusvpn ipsec-attributes
pre-shared-key *****

class-map global-class
match default-inspection-traffic

class-map class_sip_tcp
match port tcp eq sip

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
class class_sip_tcp
  inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:be674163196f614ba3efb4d766a27603
: end