cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

968
Views
0
Helpful
3
Replies
Highlighted
Beginner

AD Authentication for Client VPN

Hi,

I am using Cisco 1812 as EZVPN server. I want to use Active directory for VPN user authentication. I am trying from couple of days but no success.

With ASA, i am able to authenticate against AD, but not with IOS router. Below are my configurations

aaa authentication login AD krb5

kerberos local-realm THECCIEGROUP.LOCAL

kerberos realm thecciegroup.local THECCIEGROUP.LOCAL

kerberos realm .thecciegroup.local THECCIEGROUP.LOCAL

kerberos server THECCIEGROUP.LOCAL 10.10.102.2

kerberos preauth encrypted-kerberos-timestamp

kerberos credentials forward

If kerberos authentication is not possible, I would like to know the possibility of using AD as ACS external database. I am running both AD and ACS in the same server. If i can integrate AD with ACS, i can use TACACS or RADIUS for the authentication.

Thanks&Regards,

Vamsi Pinnaka

Bangalore.

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

AD Authentication for Client VPN

I can answer from the ACS side.

Yes you can integrate ACS with AD and then the switch uses ACS like a radius server. ACS checks AD through kerberos in the backend, transparently.

If you have ACS 4.x running on a Windows PC being a member server of the domain, the integration is automatically done actually.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

AD Authentication for Client VPN

I can answer from the ACS side.

Yes you can integrate ACS with AD and then the switch uses ACS like a radius server. ACS checks AD through kerberos in the backend, transparently.

If you have ACS 4.x running on a Windows PC being a member server of the domain, the integration is automatically done actually.

View solution in original post

Highlighted
Beginner

AD Authentication for Client VPN

Thanks for your reply. Better i will go with ACS with AD. I can have better authorization features with TACACS...

I will do this and let you know.....

Thanks&Regards,

Vamsi Pinnaka

Bangalore

Highlighted
Beginner

AD Authentication for Client VPN

Working perfectly..... Successfully integrated AD with ACS external database..

Thanks&Regards

Vamsi Pinnaka

Bangalore