Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client authentication againts Active Directory

Hi,

I need to know how to configure the VPN client to authenticate againts active directory for the VPN authentication.

We got the latest vpn client software with a ASA5510 running version 7.0

Can we do this without the IAS radius server?

Do you have an example of how to configure the ASA5510 for that?

Do we have to do something on the active directory to make it work

Thanks for any replies!!

19 REPLIES
Cisco Employee

Re: VPN client authentication againts Active Directory

The main section of the VPN client config is detailed here:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/vpnrmote.htm

This uses locally configured usernames and passwords on the ASA, I suggest you get it working with that first and only then proceed to try and set it up to authenticate using AD.

v7.0 did introduce a number of new user database options over the standard Radius/TACACS in 6.3 code. You can now natively authenticate to an AD database, so you do NOT need to use an IAS Radius server in between.

You then need to setup your Nt domain controller with the following:

aaa-server ntauth protocol nt

aaa-server ntauth (inside) host x.x.x.x

   nt-auth-domain-controller

Then map your VPN authentication to the "ntauth" AAA server process with:

tunnel-group testgroup general-attributes

   authentication-server-group ntauth

That should get you going.

New Member

Re: VPN client authentication againts Active Directory

Hi,

Thanks for the answers. I will try the NT auth with

Active Directory.

My understanding was that the NT Domain authentication option was not compatible with Active Directory. I thought we could use the NT auth only with the old NT domain database.

thanks

thanks

New Member

Re: VPN client authentication againts Active Directory

If you are using the local authentication on the ASA, is it possible to VPN if there is no username specified? I am trying to VPN into a customer's ASA and have everyting configured except for the username command. I think I'm stuck until I go back out and configure a user on the ASA.

When I try connecting using the VPN client, I get the username and password prompt, but have no user configured. Previously, they had a PIX501 and it connected with the group info and password. Now, its prompting for the username and password which aren't there.

Any suggestions in the meantime?

Thanks,

Kevin

New Member

Re: VPN client authentication againts Active Directory

I guess if u r not using RADIUS or TACACS+ u have 2 use d local database 4 authentication. For local authentication 2 happen u have 2 have a minimum of 1 username statement.

New Member

Re: VPN client authentication againts Active Directory

I called the customer and had him add the username command in the config.

Then, I could enter that username and password in the VPN client prompt which let me in.

On a side note, they previously had a PIX 501 with 6.x code. Now, they have a new ASA 5510. When I copy/pasted some of the commands, such as the fixup protocol and VPN group commands, its pretty neat when it converts the commands to the new 7.x commands.

Kevin

New Member

Re: VPN client authentication againts Active Directory

this was nice, i tried and it worked. Now is there any way , we can log which user has authenticated successfully and at what time.

thanks,

Shakeel

New Member

Re: VPN client authentication againts Active Directory

If u r using a Linux server setup then u can use d default SYSLOG server tht cums with Linux. If u r using a Windows server setup then u can install any of d free syslog Server's available on d net (www.kiwisyslog.com). U wud then have 2 configure ur firewall 2 send syslog msgs 2 ur server. Following is d syslog setup 4 my firewall. I have suppressed sum msgs. U can configure according 2 ur needs:-

logging on

logging monitor informational

logging trap errors

logging host inside

no logging message 106023

no logging message 305005

no logging message 305012

no logging message 302010

no logging message 302014

no logging message 304001

no logging message 302016

For VPN authentication u will get following logs:-

2006-01-06 08:00:48 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10308', sid 2603

2006-01-06 09:46:59 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10164', sid 2605

Also keep d time synchronised between ur firewall & syslog server if u r not sending timestamp 4 ur syslog msgs 2 ur syslog server. For time synchronisation u can use a trused NTP server like 192.43.244.18. If u r really getting gud results from my suggestions rating them will b nice of u.

New Member

Re: VPN client authentication againts Active Directory

If u r using a Linux server setup then u can use d default SYSLOG server tht cums with Linux. If u r using a Windows server setup then u can install any of d free syslog Server's available on d net (www.kiwisyslog.com). U wud then have 2 configure ur firewall 2 send syslog msgs 2 ur server. Following is d syslog setup 4 my firewall. I have suppressed sum msgs. U can configure according 2 ur needs:-

logging on

logging monitor informational

logging trap errors

logging host inside

no logging message 106023

no logging message 305005

no logging message 305012

no logging message 302010

no logging message 302014

no logging message 304001

no logging message 302016

For VPN authentication u will get following logs:-

2006-01-06 08:00:48 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10308', sid 2603

2006-01-06 09:46:59 Local4.Critical 172.x.x.x %PIX-2-109011: Authen Session Start: user '10164', sid 2605

Also keep d time synchronised between ur firewall & syslog server if u r not sending timestamp 4 ur syslog msgs 2 ur syslog server. For time synchronisation u can use a trused NTP server like 192.43.244.18. If u r really getting gud results from my suggestions rating them will b nice of u.

New Member

Re: VPN client authentication againts Active Directory

I am sorry. Since this site is running vvvvv slow my post got appended twice. Mr.Administrator this site is gr8 but believe me its damn slow.

New Member

Re: VPN client authentication againts Active Directory

This is an excellent answer.

AD is an LDAP, KERBEROS directory too

For AD authentication with Cisco VPN Client, can I use LDAP or Kerberos?

Do I lose some feature by using the NT auth.?

I thought the same thing, that NT auth. was for NT4 PDC/BDC

Thank you

New Member

Re: VPN client authentication againts Active Directory

The concept of IAS (RADIUS server of Windows) works on LDAP. Anyways I have found tht with the new PIX OS i,e, v7.0, there is an option to directly authenticate agaianst AD, which I gues works on LDAP again. I just got 2 work on d new OS 4 few days, but unfirtunately cud not test this feature.

Re: VPN client authentication againts Active Directory

Hi the version 7.0 admin guide states that LDAP server feature only supports authorization and not authentication .. in which case the user needs to be authenticated in some other method i.e Radius first.

New Member

Re: VPN client authentication againts Active Directory

I have gotten the authentication against the AD server to work with a ASA 5520 7.1 (1) and fully patched Windows 2003 AD Server. However, it allows anyone with a AD Account to login to the VPN. In the AD, under a user preference you have a Dial In Tab that grants you authorization to use VPN. Can I use this to control which AD accounts can access VPN through the ASA?

See Case SR 603607315 for more info.

I have looked at the following document however the ASDM Client I have is newer and different from the one in this doc. Last, It does not specify what you can and can not leverage from the AD tree.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml#steps

John

New Member

Re: VPN client authentication againts Active Directory

John, did you ever get this working, i have noticed also that whether i deny permission for the AD account it still lets them authenticate

New Member

Re: VPN client authentication againts Active Directory

VPN client software has nothing to do with VPN authentication. VPN authentication is handled at the point where VPN connection is terminated, in your case its ASA. As far as my knowledge goes, you don't require the IAS Server for authentication with ASA5510, as ASA has inbuilt support for Active Directory/LDAP/NTLM. If you select the Active Directory option you just need to specify the domain name & I don't recollect any further settings. Just tweak a bit & you will definitely be successful. Its pretty simple. In case you have any further doubts do revert back.

Thanks & Regards,

Baudhayan Lahiri

An IDEA can change ur life !!!!!

New Member

Re: VPN client authentication againts Active Directory

With that current setup, you can't restrict which users in your domain. Is there a way to restrict which users can be authorized to access the VPN?

New Member

Re: VPN client authentication againts Active Directory

John, did you get authorization to work with this? Did the dial-in attribute help with allowing only certain users VPN access?

thank you

New Member

Re: VPN client authentication againts Active Directory

Did anyone ever officially answer this? I am in the same boat of trying to setup VPN access to authenticate through AD. I have it working great, but the only issue now is "how to restrict who can actually login to the VPN." I don't want everyone who has an AD account to be able to VPN in to the company. That is BEGGING for trouble. I want to be able to use AD to allow or deny the VPN login.

New Member

Re: VPN client authentication againts Active Directory

Did you ever get a response on how to get this working?  Cisco's docs don't work and I'm in the same boat.

755
Views
10
Helpful
19
Replies
CreatePlease login to create content