cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1097
Views
0
Helpful
4
Replies

Need ASA 5510 8.2 to authenticate with AD Win2K3

joe-campbell
Level 1
Level 1

We just migrated from a pair of PIX 515's running 6.3(5) to ASA 5510 running 8.2(3).

We need to replace our remote client VPN configuration with one that integrates into Active Directory on Win2K3 server.

Understand this can be done with Microsoft IAS process.  Here's the twist.  When remote VPN client connects to the ASA and authenticates with AD (e.g. domain\john.doe) we want a specific IP address assigned so we are not only verifying the user via AD, but also able to track their VPN traffic (e.g. packet capture/wireshark).  Currently we use a IP LOCAL POOL ... cmd with our current static pre-shared key approach.    Maybe I should restate my questions to be:  Can the VPN client entered AD credentials be used to determine which IP LOCAL POOL group is used?

Please advise.  Thanks in advance - Joe

4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

Joe,

yes this should be possible - or alternatively you could even let the server specify the ip address for each user.

Are you using LDAP or Radius for authentication?

Herbert

jkiehnle
Level 1
Level 1

This can be done 2 ways.

1. make the ASA authenticate to CSACS and have the CSACS look to MS AD for external auth credentials... this is very common.

2. make the ASA authenticate to directly to MS AD via MS IAS (radius)... now called Network Policy Server or something like that.

Let me know If you need additional explanation.

jk

I've got the Cisco VPN client 5.x setup with connection profile to Tunnel Group name and pre-shared key.

Client is communicating with the ASA and is getting prompted for user login.  I have the ASA configured for aaa radius authentication to MS IAS on Windows 2003K server.   Experimenting on the IAS side between the IAS config "connection policies" and AD user profile.  I can now assign a static IP address to the remote VPN client which is nice!  This can be done two ways... either in IAS connection profile or in AD user profile.  What I'm working on next is having the IAS server pass back to the ASA (radius client) a acl list # (filter.id = 80.id) where I have an access-list 80 statement defined.  Not finished up with setup.  Any advice/input on this piece would be helpful.

The basic goals of this exercise/project include:

1.  Remote Cisco VPN users authenticating with AD.

2.  Pre-configured .pcf file created and deployed to remote users.

3.  Unique static IP's assigned to all VPN users for audit purposes (or troubleshooting).

4.  Apply ACL's to VPN users based on their assigned static IP so I can control what subnet's/IP's they can reach.

So far so go... We are a month or so away from implementing our first Windows 2008 server, so I'm fine with getting this to work for our 20-30 remote users with IAS in Win2Kserver environment while I get educated on NSP.

Joe

Hi Joe,

thanks for sharing your findings! Could I perhaps persuade you to create a CSC document to explain in just a bit more detail how to do this on the IAS side? I'm sure many customers using IAS would find this helpful since most - if not all - of the Cisco-generated documentation uses Cisco ACS as a Radius server.

As for the ACL name, you can pass that as radius attribute 11 aka "filter-id" but it sounds like you already found that in IAS. The value should be the name of an ACL that is defined on the ASA, so simply "80", not "80.id" (not sure if that was a typo so just thought I'd mention it). It also doesn't have to be a numbered ACL, you can also configure "access-list vpn-joe permit ip any any" and then push "joe-vpn" as the filter-id.

The config guide has a table showing all the Radius attributes you can use:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ref_extserver.html

Table C7 lists the Cisco specific attributes (VSA - Vendor Specific Attributes). On IAS you probably need to define these manually as attribute type 26 (Vendor specific), vendor code 3076 (Cisco ASA), then the sub-type (aka vendor-type) as listed in the table under "attribute #".

Table C8 shows the IETF attributes (standardized, i.e. non vendor specific), IAS should already know these (such as filter-id and framed-ip-address) although it might name them differently.

hth

Herbert