06-29-2012 02:56 PM - edited 03-10-2019 07:15 PM
Hi,
I am trying to set up RA VPN on ASA 8.4 with 2 groups - VPNGp1 and VPNGp2. VPNGp1 users will access 1.2.3.0/24 and VPNGp2 users will access 5.6.7.0/24. User authentication will happen using ACS 5.3 Radius.
On ASA, I have configured the IP pools, VPN ACLs, VPN groups, group policies for each group, and tunnel groups.
On ACS, I have created vpn-user1 and vpn-user2 for each of 2 groups.
I am not sure if some more configuration needs to be done on ASA and ACS... Do I need to add new users - vpn-user1 and vpn-user2 - on ASA, under each corresponding group policy, using vpn-group-policy command? Or I need to do something else on ACS?
Lastly, how can I configure authorization and accounting for the VPN users? Do I need to do this on ACS or on ASA?
Please advice.
Thanks.
Solved! Go to Solution.
06-30-2012 08:15 AM
Hi,
The purpose of using radius authentication is to centralize the user accounts and policies so that you will not have to configure these on the ASA. You will need to create an authentication server group that points to your ACS, then you will have to reference this server-group to your tunnel-group so user authentication requests will be forwarded to ACS for authentication. For accounting you will create an accounting server group and also assign that to your tunnel group configuration.
On the ACS you will have to create a network device client which is the ASA, and the shared secret will have to be the same. You will create a network authorization policy element which will have any authorization parameters, or you can choose the Permit Access which allows authentication succeed without any special permissions.
You can debug the sessoin by using debug crypto vpnclient 255 to see the authentication flow.
Are you using SSL vpn (anyconnect) for these sessions?
Thanks
Tarik Admani
06-30-2012 08:15 AM
Hi,
The purpose of using radius authentication is to centralize the user accounts and policies so that you will not have to configure these on the ASA. You will need to create an authentication server group that points to your ACS, then you will have to reference this server-group to your tunnel-group so user authentication requests will be forwarded to ACS for authentication. For accounting you will create an accounting server group and also assign that to your tunnel group configuration.
On the ACS you will have to create a network device client which is the ASA, and the shared secret will have to be the same. You will create a network authorization policy element which will have any authorization parameters, or you can choose the Permit Access which allows authentication succeed without any special permissions.
You can debug the sessoin by using debug crypto vpnclient 255 to see the authentication flow.
Are you using SSL vpn (anyconnect) for these sessions?
Thanks
Tarik Admani
06-30-2012 12:21 PM
Hi Tarik,
I am trying to configure remote access vpn, not ssl vpn.
On ASA, I have done this:
aaa-server tacacsgroup protocol tacacs+
aaa-server tacacsgroup (management) host 1.2.3.4
key cisco
aaa authentication ssh console tacacsgroup local
aaa authorization command tacacsgroup
aaa accounting ssh console tacacsgroup
aaa accounting command tacacsgroup
aaa-server radgroup protocol radius
aaa-server radgroup (management) host 1.2.3.4
key cisco
I have created the ip pools, interesting traffic ACLs, group policies, and tunnel groups.
On ACS, I have added asa as AAA client, created vpn-user1 and vpn-user2 and configured the authorization policy for each.
Is this config complete for RA vpn with authentication, authorization and accounting from ACS?
How can I confirm that AAA (authentication, authorization and accounting of commands) of RA vpn users is happening via ACS?
Thanks.
06-30-2012 08:26 PM
Please post the tunnel group configurations also. You have to reference the authentication server group and accounting server group.
There is no command accounting for remote access VPN, just details about connection details: connection time data consumption...etc.
If you're asking how to verify from the acs side, check the monitoring and reports section and see the radius authetication and radius accounting reports.
You can create an internal user on the Asa and attempt to authenticate to see if you at denied, so you knw te request is going to the acs server.
Just so you know you can join acs to AD and use accounts in active directory.
Thanks,
07-01-2012 06:55 AM
Hi Tarik,
This is the ra vpn config from my asa:
ciscoasa(config)# ip local pool grponepool 192.168.1.1-192.168.1.50 mask 255.255.255.0
ciscoasa(config)# ip local pool grptwopool 192.168.1.100-192.168.1.150 mask 255.255.255.0
ciscoasa(config)# access-list Test_Split_ACL standard permit 172.16.0.0 255.255.0.0
ciscoasa(config)# group-policy grponeGrpPol internal
ciscoasa(config)# group-policy grponeGrpPol attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value Test_Split_ACL
ciscoasa(config-group-policy)# dns-server value 10.10.10.10
ciscoasa(config-group-policy)# default-domain value domain.com
ciscoasa(config-group-policy)# vpn-filter value grponeACL
ciscoasa(config)# group-policy grptwoGrpPol internal
ciscoasa(config)# group-policy grptwoGrpPol attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value Test_Split_ACL
ciscoasa(config-group-policy)# dns-server value 10.10.10.10
ciscoasa(config-group-policy)# default-domain value domain.com
ciscoasa(config-group-policy)# vpn-filter value grptwoACL
ciscoasa(config)# tunnel-group grponeTunGrp type remote-access
ciscoasa(config)# tunnel-group grponeTunGrp general-attributes
ciscoasa(config-tunnel-general)# default-group-policy grponeGrpPol
ciscoasa(config-tunnel-general)# address-pool grponepool
ciscoasa(config-tunnel-general)# authentication-server-group radgroup
ciscoasa(config)# tunnel-group grponeTunGrp ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key *****
ciscoasa(config)# tunnel-group grptwoTunGrp type remote-access
ciscoasa(config)# tunnel-group grptwoTunGrp general-attributes
ciscoasa(config-tunnel-general)# default-group-policy grptwoGrpPol
ciscoasa(config-tunnel-general)# address-pool grptwopool
ciscoasa(config-tunnel-general)# authentication-server-group radgroup
ciscoasa(config)# tunnel-group grptwoTunGrp ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key *****
This is the aaa config from my asa:
ciscoasa(config)# aaa-server tacacsgroup protocol tacacs+
ciscoasa(config)# aaa-server tacacsgroup (management) host 1.2.3.4
ciscoasa(config)# key cisco
ciscoasa(config)# aaa authentication ssh console tacacsgroup local
ciscoasa(config)# aaa authorization command tacacsgroup
ciscoasa(config)# aaa accounting ssh console tacacsgroup
ciscoasa(config)# aaa accounting command tacacsgroup
ciscoasa(config)# aaa-server radgroup protocol radius
ciscoasa(config)# aaa-server radgroup (management) host 1.2.3.4
ciscoasa(config)# key cisco
Does this look complete? Or I should add 'accounting-server-group' also to tunnel group config? As you said, accounting for ra vpn do not log commands run by users, only conn related information.
I made tacacsgroup so I can use acs for authenticating my admin users, when I ssh into asa for managing it.
I checked acs monitoring and reports and yes I find the tacacs event reports and radius auth n accounting reports. But there is no radius authorization report..?
Now if I understand correctly, when I ssh into asa, the asa sends access request to acs, the acs confirms the username and password, and records the authentication, authorization events. From here, when I will run any command, those will also be logged in acs. And I will be able to view these in acs monitoring n reports under tacacs reports.
For a vpn user, when user connects via vpn client, the group info will be passed along with the userid entered for authentication. ASA will receive the request and ask acs for validation. If the login information is right, then acs will confirm n based on the group membership, vpn user will be given ip address from one of the 2 pools. Then, based on what privilege level I assign to group user on acs via authorization policy, user will be able to run those commands on asa. am I right?
So everything related to aaa happens using acs. Is there a way I can check authentication, authorization and accounting event on asa for both vpn user and my admin user?
Thanks.
07-01-2012 08:02 PM
Hi,
Radius is a different protocol based on tacacs, the authorization in radius is the response sent in the access-accept. Unlike tacacs where once authentication succeeds the Asa in this case will send and authorization packet to the acs and that is done for every command if you choose command authorization.
When you look at your configuration the:
The aaa authentication commands are used to authenticate admin access to the Asa using tacacs, there is no way a radius user will be able to adminster this device (unless your users in acs match the same tacacs policies). Your configuration for radius is only referenced in the tunnel-group in order to authenticate the users for network access, you can implement command authorization using radius but it's not practical since based on the design of the protocol itself.
Thanks,
Tarik
07-01-2012 08:18 PM
okay, right. The ra vpn users only need to access some server in internal lan, n for each ra vpn group, I mapped the acls. So yeah radius will be used to authenticate the ra vpn user.
Is there a way I can check authentication, authorization and accounting event on asa for both vpn user and my admin user?
Many Thanks.
07-01-2012 08:26 PM
You can issue debug VPN-sessiondb 255, and capture the debugs for the client.
Thanks,
Tarik
07-01-2012 08:33 PM
Ok Tarik. Thanks for answering my doubts. It was very helpful to me.
Thanks again.!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide