10-14-2005 09:03 AM
Hi,
I need to know how to configure the VPN client to authenticate againts active directory for the VPN authentication.
We got the latest vpn client software with a ASA5510 running version 7.0
Can we do this without the IAS radius server?
Do you have an example of how to configure the ASA5510 for that?
Do we have to do something on the active directory to make it work
Thanks for any replies!!
10-16-2005 10:58 PM
The main section of the VPN client config is detailed here:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/vpnrmote.htm
This uses locally configured usernames and passwords on the ASA, I suggest you get it working with that first and only then proceed to try and set it up to authenticate using AD.
v7.0 did introduce a number of new user database options over the standard Radius/TACACS in 6.3 code. You can now natively authenticate to an AD database, so you do NOT need to use an IAS Radius server in between.
You then need to setup your Nt domain controller with the following:
aaa-server ntauth protocol nt
aaa-server ntauth (inside) host x.x.x.x
nt-auth-domain-controller
Then map your VPN authentication to the "ntauth" AAA server process with:
tunnel-group testgroup general-attributes
authentication-server-group ntauth
That should get you going.
10-17-2005 04:02 AM
Hi,
Thanks for the answers. I will try the NT auth with
Active Directory.
My understanding was that the NT Domain authentication option was not compatible with Active Directory. I thought we could use the NT auth only with the old NT domain database.
thanks
thanks
12-28-2005 04:06 PM
If you are using the local authentication on the ASA, is it possible to VPN if there is no username specified? I am trying to VPN into a customer's ASA and have everyting configured except for the username command. I think I'm stuck until I go back out and configure a user on the ASA.
When I try connecting using the VPN client, I get the username and password prompt, but have no user configured. Previously, they had a PIX501 and it connected with the group info and password. Now, its prompting for the username and password which aren't there.
Any suggestions in the meantime?
Thanks,
Kevin
12-30-2005 08:17 AM
I guess if u r not using RADIUS or TACACS+ u have 2 use d local database 4 authentication. For local authentication 2 happen u have 2 have a minimum of 1 username statement.
12-30-2005 08:56 AM
I called the customer and had him add the username command in the config.
Then, I could enter that username and password in the VPN client prompt which let me in.
On a side note, they previously had a PIX 501 with 6.x code. Now, they have a new ASA 5510. When I copy/pasted some of the commands, such as the fixup protocol and VPN group commands, its pretty neat when it converts the commands to the new 7.x commands.
Kevin
01-06-2006 04:12 AM
this was nice, i tried and it worked. Now is there any way , we can log which user has authenticated successfully and at what time.
thanks,
Shakeel
01-06-2006 08:59 AM
If u r using a Linux server setup then u can use d default SYSLOG server tht cums with Linux. If u r using a Windows server setup then u can install any of d free syslog Server's available on d net (www.kiwisyslog.com). U wud then have 2 configure ur firewall 2 send syslog msgs 2 ur server. Following is d syslog setup 4 my firewall. I have suppressed sum msgs. U can configure according 2 ur needs:-
logging on
logging monitor informational
logging trap errors
logging host inside
no logging message 106023
no logging message 305005
no logging message 305012
no logging message 302010
no logging message 302014
no logging message 304001
no logging message 302016
For VPN authentication u will get following logs:-
2006-01-06 08:00:48 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10308', sid 2603
2006-01-06 09:46:59 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10164', sid 2605
Also keep d time synchronised between ur firewall & syslog server if u r not sending timestamp 4 ur syslog msgs 2 ur syslog server. For time synchronisation u can use a trused NTP server like 192.43.244.18. If u r really getting gud results from my suggestions rating them will b nice of u.
01-06-2006 09:01 AM
If u r using a Linux server setup then u can use d default SYSLOG server tht cums with Linux. If u r using a Windows server setup then u can install any of d free syslog Server's available on d net (www.kiwisyslog.com). U wud then have 2 configure ur firewall 2 send syslog msgs 2 ur server. Following is d syslog setup 4 my firewall. I have suppressed sum msgs. U can configure according 2 ur needs:-
logging on
logging monitor informational
logging trap errors
logging host inside
no logging message 106023
no logging message 305005
no logging message 305012
no logging message 302010
no logging message 302014
no logging message 304001
no logging message 302016
For VPN authentication u will get following logs:-
2006-01-06 08:00:48 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10308', sid 2603
2006-01-06 09:46:59 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10164', sid 2605
Also keep d time synchronised between ur firewall & syslog server if u r not sending timestamp 4 ur syslog msgs 2 ur syslog server. For time synchronisation u can use a trused NTP server like 192.43.244.18. If u r really getting gud results from my suggestions rating them will b nice of u.
01-06-2006 09:54 AM
I am sorry. Since this site is running vvvvv slow my post got appended twice. Mr.Administrator this site is gr8 but believe me its damn slow.
04-23-2006 04:21 PM
This is an excellent answer.
AD is an LDAP, KERBEROS directory too
For AD authentication with Cisco VPN Client, can I use LDAP or Kerberos?
Do I lose some feature by using the NT auth.?
I thought the same thing, that NT auth. was for NT4 PDC/BDC
Thank you
04-23-2006 09:47 PM
The concept of IAS (RADIUS server of Windows) works on LDAP. Anyways I have found tht with the new PIX OS i,e, v7.0, there is an option to directly authenticate agaianst AD, which I gues works on LDAP again. I just got 2 work on d new OS 4 few days, but unfirtunately cud not test this feature.
04-25-2006 12:31 AM
Hi the version 7.0 admin guide states that LDAP server feature only supports authorization and not authentication .. in which case the user needs to be authenticated in some other method i.e Radius first.
06-06-2006 08:14 AM
I have gotten the authentication against the AD server to work with a ASA 5520 7.1 (1) and fully patched Windows 2003 AD Server. However, it allows anyone with a AD Account to login to the VPN. In the AD, under a user preference you have a Dial In Tab that grants you authorization to use VPN. Can I use this to control which AD accounts can access VPN through the ASA?
See Case SR 603607315 for more info.
I have looked at the following document however the ASDM Client I have is newer and different from the one in this doc. Last, It does not specify what you can and can not leverage from the AD tree.
John
06-05-2007 05:04 AM
John, did you ever get this working, i have noticed also that whether i deny permission for the AD account it still lets them authenticate
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: